Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406xlsx.xls
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406xlsx.xls
Resource
win10v2004-20231130-en
General
-
Target
4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406xlsx.xls
-
Size
391KB
-
MD5
5ea33b2a54dd29dc6d5a3b049dc8a2d1
-
SHA1
5bc312ad946e5fe8258d6c4669b3fad66ae4fa3b
-
SHA256
4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406
-
SHA512
2ca5a6b3792c9a70e8fc025c10a451a2972a9edc2869145d4a0a508fb4c8251c130d2f54fef11acf5c6f94de344782989055301b3c8dcbeaa43b9cd9e24cc32e
-
SSDEEP
12288:+OeGxSqKjij4a3DjM/In2zyojn1v3UICbk:+OeGxBEezj8In5oD1v12
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.elquijotebanquetes.com - Port:
21 - Username:
[email protected] - Password:
q.15SE~j1@};
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 9 2100 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 1 IoCs
pid Process 1860 wlanext.exe -
Loads dropped DLL 2 IoCs
pid Process 2100 EQNEDT32.EXE 1860 wlanext.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msbuild.exe Key opened \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msbuild.exe Key opened \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msbuild.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2868 msbuild.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1860 wlanext.exe 2868 msbuild.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1860 set thread context of 2868 1860 wlanext.exe 35 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\victorianerne\censorial\statuetternes\indgrebskriterium\sljfningers.ini wlanext.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\megarhyssa\Bromometry\allerpopulreste\Croissanter.ini wlanext.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2100 EQNEDT32.EXE -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1728 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2868 msbuild.exe 2868 msbuild.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1860 wlanext.exe 1860 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2868 msbuild.exe Token: SeShutdownPrivilege 2908 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1728 EXCEL.EXE 1728 EXCEL.EXE 1728 EXCEL.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 1728 EXCEL.EXE 1728 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2100 wrote to memory of 1860 2100 EQNEDT32.EXE 31 PID 2100 wrote to memory of 1860 2100 EQNEDT32.EXE 31 PID 2100 wrote to memory of 1860 2100 EQNEDT32.EXE 31 PID 2100 wrote to memory of 1860 2100 EQNEDT32.EXE 31 PID 2908 wrote to memory of 1572 2908 WINWORD.EXE 32 PID 2908 wrote to memory of 1572 2908 WINWORD.EXE 32 PID 2908 wrote to memory of 1572 2908 WINWORD.EXE 32 PID 2908 wrote to memory of 1572 2908 WINWORD.EXE 32 PID 1860 wrote to memory of 2196 1860 wlanext.exe 34 PID 1860 wrote to memory of 2196 1860 wlanext.exe 34 PID 1860 wrote to memory of 2196 1860 wlanext.exe 34 PID 1860 wrote to memory of 2196 1860 wlanext.exe 34 PID 1860 wrote to memory of 2868 1860 wlanext.exe 35 PID 1860 wrote to memory of 2868 1860 wlanext.exe 35 PID 1860 wrote to memory of 2868 1860 wlanext.exe 35 PID 1860 wrote to memory of 2868 1860 wlanext.exe 35 PID 1860 wrote to memory of 2868 1860 wlanext.exe 35 PID 1860 wrote to memory of 2868 1860 wlanext.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msbuild.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msbuild.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4fe755c27dc035254521204ace429e7d2229d51a503bba1678c035d0138cd406xlsx.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1728
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1572
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"3⤵PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2868
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{67D3C23A-F1E6-4FDA-BA3C-40A000C9215C}.FSD
Filesize128KB
MD543935fda99e992c1690c30e119625306
SHA17e8f530c999e6b89ef0cf8460b094a6a7c5f409e
SHA2568cde0c56fcf5689a5d2efc760c269da8b3a60b1c25d775fd3b5c7c03fe5781c7
SHA512fb8a3833c4229042a1448e9af593630140c41e7c261bdca24ea2c3aa8ab771580ba0fda94a7dc1139aff5f6bd85fa0ef589c50a715659548bd6e78c82f7cd545
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5bdb76e0625081d46cb163cf14cfd42bf
SHA18ec03b40753ebf6830d79b900d9888820e31c5d4
SHA25640997d7c5b7ceb38d7a741933072a038c5fb27ad1135089741c7da2be8438bbf
SHA51242054080d4f400be9996b8385e7fe6b4d2fb584705e90164b5dfef1afeb51503abf1ba955a9907d1c646b9f6915ac522620fa71b4e48c9a6cf4ef92158dd20fe
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B8E0541E-E8A1-467C-90A2-3FF6E3C172EA}.FSD
Filesize128KB
MD56e14f90c20f9b2dde9bdf4c86bcb692b
SHA140fc9340b21b14ba964f5c825a862eea58bcb35c
SHA2562e7320cf4af9b357748db73c1b014eb89e47b6a24603cb28be84ddade2dd8c89
SHA512443a89e91c266ec5582e4e37b188b925c87bab093ebd98d534c00e68fd824d8512eed7e0bfdd6706e7850876ecb616e1ad58415e163f2dc5eeed5188acc217de
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K7OQK7H1\microsoftdecidedtodeleteentirehistorycookiecacheeverthingfrmthepc[1].doc
Filesize60KB
MD57ecba32d658443197384b69d872d0bfb
SHA1173c9b6d2ca1ab6bc5986d2d6b6fe574966e70e8
SHA2563b73c78e78bd1c6ac43e6f7f4934353bf6c4c23b0b534ddd228d2fcc5b562f6d
SHA51249b7cc43b047f339c345e68904aa8a89e7bbc20fd17a8e7d7d81db9ba116bc905fc1ecc3c4c767fe8c014d04deec491130c4eb840af70e1d4c900fb9f9a9ad5a
-
Filesize
60KB
MD57ecba32d658443197384b69d872d0bfb
SHA1173c9b6d2ca1ab6bc5986d2d6b6fe574966e70e8
SHA2563b73c78e78bd1c6ac43e6f7f4934353bf6c4c23b0b534ddd228d2fcc5b562f6d
SHA51249b7cc43b047f339c345e68904aa8a89e7bbc20fd17a8e7d7d81db9ba116bc905fc1ecc3c4c767fe8c014d04deec491130c4eb840af70e1d4c900fb9f9a9ad5a
-
Filesize
128KB
MD565851e03b779074da85de8d70fe5a01c
SHA1dbff8abe5293b4cc11902a88d61dee19ad40e194
SHA2568bf9e033bf4539a382b5bdeea6366e5750c60488eae667efa3046aa75b15944d
SHA512be08c65e2dd8ca202261890eba8f1b9a1c093a507787ac2c469941c4c153aa75494aed327fdade2950764325c77889d8a345191a76231fa4fdf80e71e07255c2
-
Filesize
20KB
MD5743281fc8f0c923cc48287173285798e
SHA153b4f1609b08db9e88d8896b63948b433f213004
SHA256bb1edb1fbb00f0ebe9ee73614ceca48b2c20f7549986775cb1802f75790933c8
SHA51277bad5e932b30bb90f0bec80d4a48b0fb673e4947ebd2ca8dae1f13bc4e74265d4868f4a50759d5c665c05622957192d5c09a39582c85098f6a1b6f99169b902
-
Filesize
722KB
MD555506ae02311eedd9858ec8997238c53
SHA144d9cb2e85d368d17a2944f467cd28350e19fcaf
SHA256680004deb5259f23ea4e2ad1c34a57bb6f12ee64391f0e7ffde1b2b56453a023
SHA512bbe30faa0df82d575006bcff27d97e03b6600c289b30ed13da5c2d09971f147abd0d346a1c9f2177637a1beae55cee7ef835654213b52b50c8a595dd153a8884
-
Filesize
722KB
MD555506ae02311eedd9858ec8997238c53
SHA144d9cb2e85d368d17a2944f467cd28350e19fcaf
SHA256680004deb5259f23ea4e2ad1c34a57bb6f12ee64391f0e7ffde1b2b56453a023
SHA512bbe30faa0df82d575006bcff27d97e03b6600c289b30ed13da5c2d09971f147abd0d346a1c9f2177637a1beae55cee7ef835654213b52b50c8a595dd153a8884
-
Filesize
722KB
MD555506ae02311eedd9858ec8997238c53
SHA144d9cb2e85d368d17a2944f467cd28350e19fcaf
SHA256680004deb5259f23ea4e2ad1c34a57bb6f12ee64391f0e7ffde1b2b56453a023
SHA512bbe30faa0df82d575006bcff27d97e03b6600c289b30ed13da5c2d09971f147abd0d346a1c9f2177637a1beae55cee7ef835654213b52b50c8a595dd153a8884
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
Filesize
722KB
MD555506ae02311eedd9858ec8997238c53
SHA144d9cb2e85d368d17a2944f467cd28350e19fcaf
SHA256680004deb5259f23ea4e2ad1c34a57bb6f12ee64391f0e7ffde1b2b56453a023
SHA512bbe30faa0df82d575006bcff27d97e03b6600c289b30ed13da5c2d09971f147abd0d346a1c9f2177637a1beae55cee7ef835654213b52b50c8a595dd153a8884