agenttesla | 3936c2bfa7b6ad5e67b8abd8228c633f77302f5f6883162ac8a0f5ae72a24702

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nueva Orden.xls
Size

391KB
MD5

20d7b7e70ea53065f8f5cbf5f2abde62
SHA1

1574428c29f993ba3efa4dca4d7e493cd15bf605
SHA256

3936c2bfa7b6ad5e67b8abd8228c633f77302f5f6883162ac8a0f5ae72a24702
SHA512

021e165fbb621b8da8d3d2a2b9dea95910c37803dd865f0cb600a837fa1400249d393f7cf1fb2e97872e1eb1c54e157138206ce07c340c9dd375767da55bf41e
SSDEEP

12288:UOergqKjij4a3DjM1+UT3A/6IGsIHOgEnVu:UOeDEezjs+UUSnHwn

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
kFxADjwNBm$_

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

11 1884 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

wlanext.exe

pid process

1348 wlanext.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1884 EQNEDT32.EXE
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
11	1884	EQNEDT32.EXE

pid	process
1884	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wlanext.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1884 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1884	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1980 EXCEL.EXE

pid	process
1980	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

wlanext.exe

pid	process
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe
1348	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wlanext.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1348 wlanext.exe
Token: SeShutdownPrivilege 3036 WINWORD.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1980 EXCEL.EXE
1980 EXCEL.EXE
1980 EXCEL.EXE
3036 WINWORD.EXE
3036 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1348	wlanext.exe
Token: SeShutdownPrivilege	3036	WINWORD.EXE

pid	process
1980	EXCEL.EXE
1980	EXCEL.EXE
1980	EXCEL.EXE
3036	WINWORD.EXE
3036	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXE

description	pid	process	target process
PID 1884 wrote to memory of 1348	1884	EQNEDT32.EXE	wlanext.exe
PID 1884 wrote to memory of 1348	1884	EQNEDT32.EXE	wlanext.exe
PID 1884 wrote to memory of 1348	1884	EQNEDT32.EXE	wlanext.exe
PID 1884 wrote to memory of 1348	1884	EQNEDT32.EXE	wlanext.exe
PID 3036 wrote to memory of 548	3036	WINWORD.EXE	splwow64.exe
PID 3036 wrote to memory of 548	3036	WINWORD.EXE	splwow64.exe
PID 3036 wrote to memory of 548	3036	WINWORD.EXE	splwow64.exe
PID 3036 wrote to memory of 548	3036	WINWORD.EXE	splwow64.exe

outlook_office_path 1 IoCs

Processes:

wlanext.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe

outlook_win_path 1 IoCs

Processes:

wlanext.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Nueva Orden.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:548

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{157A8355-96A3-428F-A213-37F44000A2B4}.FSD

Filesize
128KB

MD5
fedcea74742be831e56ea1c2d9241d0d

SHA1
ee87991a1aa9ce05fc2b4be61c1565230dbf248b

SHA256
50f558d444fe2bde453fe782064a154b192be0d5adf6e2f630cf04db89b8170b

SHA512
8396e40a419c651d76d3ada3a4e338dac8274b1a5f17dd2ad04deff1f884dc78b2334bf14fad95c07affc89f14be8c22ebc751c80c43839c6281b61314718230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
540d1cab00e4845c878d0b390417c88c

SHA1
aa22d8bd53e8aebfbc1b8a11d303fe67d3585e32

SHA256
d55f22ab63863b50fbc992230648b2e1e80cc807b866efdbeeea8fb13962e03e

SHA512
146933956ba907c0cb0bb8d02ae850345683bfdc5a16da3dd0290bb7bd1a88e29b51dbb0b505546ab23c54e8696667fb6e729cf732bca80bcee1d4805abb7bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{CA74A3A2-52CC-404B-894C-C4601DA7A576}.FSD

Filesize
128KB

MD5
cacb100fc8b67186618bb11405c9a9ec

SHA1
79f9ba18a1740d65ca766aededc36b63997bf8b1

SHA256
b05d73aa07f1a666ca3348982dc1eaf1c2193bd2f872a990d59aba3458acf8fb

SHA512
ada70b0102a4f22f8913d9c6c0bd2d210de3016e5b558197ff68fb665a4a248cabd9d9fc75445b011acd073d1682170c768a072ecaf237d73226d302a54b1ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\newmicrosoftunderstandhowimportanttodeletehistorycookiecacheeverythingfromthepc[1].doc

Filesize
53KB

MD5
460857b142873aecf2a7fb03c03ad16c

SHA1
7dea4f943df7b874475531318592f3a7cee39119

SHA256
ec4035e087e6bfb7e4ed8de073512ff89c251a322b228ccf60dd96ff43c7f63a

SHA512
a4b4df83a88c7af7e25f5d94efb24c077112659fb91bd9eb53994eb55f506871d33c4efefc62b39b2abab42fd8074c30196d9761de028e968f5b8d992f235889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31D4F867.doc

Filesize
53KB

MD5
460857b142873aecf2a7fb03c03ad16c

SHA1
7dea4f943df7b874475531318592f3a7cee39119

SHA256
ec4035e087e6bfb7e4ed8de073512ff89c251a322b228ccf60dd96ff43c7f63a

SHA512
a4b4df83a88c7af7e25f5d94efb24c077112659fb91bd9eb53994eb55f506871d33c4efefc62b39b2abab42fd8074c30196d9761de028e968f5b8d992f235889

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3F48982D-3005-44A3-B331-C1A8620F59EE}

Filesize
128KB

MD5
bede6e8343cba863e6ec465ab8c9942a

SHA1
96bbc5a138898a3d754e662a332d711ac5bee228

SHA256
90390be261839fdf7913d9cba381af11f6f1ec4d7049cd09dfaa3bbf643c4f15

SHA512
e6a00beaca24af1a69f549589b0405aaa79e84a278e4a0936cd705e781521afadb5078a210be59498c2ad8b91695569daf9c84c896e3a12b52597bf8a6954f0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
fde92eee8f020c30e8c59520845e5a84

SHA1
5da7efcbdfdf3a08489fc6d5919abeb39ef37535

SHA256
ec2c99cfb051bcd8108697ca35516417318a05599ef2a733b7424969058ce54f

SHA512
7372ad4fbd96cf98bfba08409a1acb9236177aa0359bfd9f5e904bca06dd6e008021f5b4d49b243ba0f1122f4b6ca6b8bcb6da033bf266f5346242dfeba077ec

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
736KB

MD5
ba7f6ed989061e69011a716d3022a3c8

SHA1
81e901170a61f3e928955849a429fdc6682cb167

SHA256
e2ac44955525789a53bd78e1a5cc0051f83ec6356327a99d4c215a636ae3fbaa

SHA512
55e913dc78e2d4f9be1473a8ce018132fd88ed5a5085a6016f6e96f6e3d3ed262b95fe0f46c1422bac488a4ef32dfbf26ced722029a6a430bbcbc331f4059909

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
736KB

MD5
ba7f6ed989061e69011a716d3022a3c8

SHA1
81e901170a61f3e928955849a429fdc6682cb167

SHA256
e2ac44955525789a53bd78e1a5cc0051f83ec6356327a99d4c215a636ae3fbaa

SHA512
55e913dc78e2d4f9be1473a8ce018132fd88ed5a5085a6016f6e96f6e3d3ed262b95fe0f46c1422bac488a4ef32dfbf26ced722029a6a430bbcbc331f4059909

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
736KB

MD5
ba7f6ed989061e69011a716d3022a3c8

SHA1
81e901170a61f3e928955849a429fdc6682cb167

SHA256
e2ac44955525789a53bd78e1a5cc0051f83ec6356327a99d4c215a636ae3fbaa

SHA512
55e913dc78e2d4f9be1473a8ce018132fd88ed5a5085a6016f6e96f6e3d3ed262b95fe0f46c1422bac488a4ef32dfbf26ced722029a6a430bbcbc331f4059909

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
736KB

MD5
ba7f6ed989061e69011a716d3022a3c8

SHA1
81e901170a61f3e928955849a429fdc6682cb167

SHA256
e2ac44955525789a53bd78e1a5cc0051f83ec6356327a99d4c215a636ae3fbaa

SHA512
55e913dc78e2d4f9be1473a8ce018132fd88ed5a5085a6016f6e96f6e3d3ed262b95fe0f46c1422bac488a4ef32dfbf26ced722029a6a430bbcbc331f4059909

Download Submit
memory/1348-97-0x000000006A530000-0x000000006AC1E000-memory.dmp

Filesize
6.9MB

Download
memory/1348-103-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/1348-108-0x0000000007280000-0x00000000072C0000-memory.dmp

Filesize
256KB

Download
memory/1348-107-0x000000006A530000-0x000000006AC1E000-memory.dmp

Filesize
6.9MB

Download
memory/1348-106-0x0000000004580000-0x00000000045C2000-memory.dmp

Filesize
264KB

Download
memory/1348-105-0x00000000078C0000-0x000000000793E000-memory.dmp

Filesize
504KB

Download
memory/1348-96-0x0000000000EA0000-0x0000000000F5E000-memory.dmp

Filesize
760KB

Download
memory/1348-99-0x0000000007280000-0x00000000072C0000-memory.dmp

Filesize
256KB

Download
memory/1348-100-0x0000000000530000-0x000000000054A000-memory.dmp

Filesize
104KB

Download
memory/1348-104-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/1980-8-0x00000000023E0000-0x00000000023E2000-memory.dmp

Filesize
8KB

Download
memory/1980-101-0x000000007285D000-0x0000000072868000-memory.dmp

Filesize
44KB

Download
memory/1980-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1980-1-0x000000007285D000-0x0000000072868000-memory.dmp

Filesize
44KB

Download
memory/1980-135-0x000000007285D000-0x0000000072868000-memory.dmp

Filesize
44KB

Download
memory/3036-102-0x000000007285D000-0x0000000072868000-memory.dmp

Filesize
44KB

Download
memory/3036-3-0x000000002F7E1000-0x000000002F7E2000-memory.dmp

Filesize
4KB

Download
memory/3036-5-0x000000007285D000-0x0000000072868000-memory.dmp

Filesize
44KB

Download
memory/3036-7-0x0000000002530000-0x0000000002532000-memory.dmp

Filesize
8KB

Download
memory/3036-130-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3036-132-0x000000007285D000-0x0000000072868000-memory.dmp

Filesize
44KB

Download