agenttesla | 305c387f84962d7861c41d3d63d4565940b46aacbe7223ba29a4e99a5621bddc

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
08-12-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

305c387f84962d7861c41d3d63d4565940b46aacbe7223ba29a4e99a5621bddc.docx
Size

16KB
MD5

e530003ea1dd6d6e046a47d4468837db
SHA1

a7fad286c9905440990b931024b54657a76adbc2
SHA256

305c387f84962d7861c41d3d63d4565940b46aacbe7223ba29a4e99a5621bddc
SHA512

2686294daaa3067f515ff08205083f5b8643122b3d1f7602ddc22023a42b7725cfd71142e1471f736475c48244b4276b5e840ae22fbe729ab632bb191b186435
SSDEEP

384:ByXtwI6W9s8PL8wi4OEwH8TIbE91r2fR7JYMviDj32Tlt:BctAa5P3DOqnYJNRvej32Rt

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp5ua.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	2964	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
2288	obich2394619.exe
528	obich2394619.exe

Loads dropped DLL 1 IoCs

pid	Process
2964	EQNEDT32.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	api.ipify.org
12	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 528	2288	obich2394619.exe	33

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2964	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1128	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
528	obich2394619.exe
528	obich2394619.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	528	obich2394619.exe
Token: SeShutdownPrivilege	1128	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1128	WINWORD.EXE
1128	WINWORD.EXE
528	obich2394619.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2288	2964	EQNEDT32.EXE	30
PID 2964 wrote to memory of 2288	2964	EQNEDT32.EXE	30
PID 2964 wrote to memory of 2288	2964	EQNEDT32.EXE	30
PID 2964 wrote to memory of 2288	2964	EQNEDT32.EXE	30
PID 2288 wrote to memory of 528	2288	obich2394619.exe	33
PID 2288 wrote to memory of 528	2288	obich2394619.exe	33
PID 2288 wrote to memory of 528	2288	obich2394619.exe	33
PID 2288 wrote to memory of 528	2288	obich2394619.exe	33
PID 2288 wrote to memory of 528	2288	obich2394619.exe	33
PID 2288 wrote to memory of 528	2288	obich2394619.exe	33
PID 2288 wrote to memory of 528	2288	obich2394619.exe	33
PID 2288 wrote to memory of 528	2288	obich2394619.exe	33
PID 2288 wrote to memory of 528	2288	obich2394619.exe	33
PID 1128 wrote to memory of 2056	1128	WINWORD.EXE	35
PID 1128 wrote to memory of 2056	1128	WINWORD.EXE	35
PID 1128 wrote to memory of 2056	1128	WINWORD.EXE	35
PID 1128 wrote to memory of 2056	1128	WINWORD.EXE	35

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\305c387f84962d7861c41d3d63d4565940b46aacbe7223ba29a4e99a5621bddc.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2056

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Roaming\obich2394619.exe
  "C:\Users\Admin\AppData\Roaming\obich2394619.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Roaming\obich2394619.exe
    "C:\Users\Admin\AppData\Roaming\obich2394619.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{66944BB9-A183-4D3B-9AA1-028C080EBE73}.FSD

Filesize
128KB

MD5
b6383c19d64e393e565c94e643eb8695

SHA1
4862463f90e6e17c446a71296b6a32551fbcc3e5

SHA256
9152c3cea959f09001668ec01d748dc6a5afdb2a31e40838a19b7d2651fc5ff5

SHA512
c56a409e001f2d100815cd0d199e67ce9f1bf560b7fc91dbd47b948476ad9b39c62e9796933f96c681aca4807ed3d54231a0856926306b3305c99b3140ccd189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
d46632c3df08127d817b925e805961ad

SHA1
81216f08676c5eb3b47303d167469722abf41cbd

SHA256
8eb807e8a38fa881f7b2d02f65d0c6f278b692c6f01a36bcb7e9ce6d08b2f1c9

SHA512
c9c45caa9b652f6303d9c5725921a22cc5398402530fe8436f7a6727e63e3c9b9cc33e31bd161aa193a40aaad08fd3adf7d00b332f9a12bbdd1f2bdacacafb10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1E507B01-4367-4697-B1EC-2BF50EEBC7B1}.FSD

Filesize
128KB

MD5
ded44e2465e68734bd2cc5cdfb1ca196

SHA1
ce57e2beb96344bd6e0280873484de563b75a4e8

SHA256
58dd2c8d30053f82a4a47b0e95e92641adc7eea7406757a20150c70496d5b6fd

SHA512
6b2944d79b25b88ad40d06272ffaa2940d03ec411991bdceddcd9ad48edd28aa5783585cfee312c9a9e41dc67f8dea0e413303388860bc20b431eae3f2a5f12c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\obizx[1].doc

Filesize
245KB

MD5
bbe4487cdb60e2489e3b816ca308a13d

SHA1
d2852cc476f324c63f1e7daece79d6e4c7539a54

SHA256
6fd4fdc6c62743bc1d58364976da63cf140b6f92ae1769034c84094aa680f087

SHA512
2aef2e3e4d07346d3e051d0882414c536fbdb562158a59ae123cb01aa76197de8018c4faf1ee6d9ad45e0e30ab6c19b4af71cf84a476a2d7306fd46ed759a326

Download Submit
C:\Users\Admin\AppData\Local\Temp\{043B1BB2-33AC-4BF3-8F14-2CA5463A7CFD}

Filesize
128KB

MD5
5ff310b6ae6cd93c346bc0ed8f240dc0

SHA1
1cce1c9547316369041da7cd2978b1a84f899db4

SHA256
ba9b936697a009c8af8cd9ca9e4032105b0fcac1b8cef2a9dd95da18ac257fd5

SHA512
41e1489915be6c70cb52513b625173d0bd9f7df733293f36a1dbf64c242ce442d950631d4449bc5b67c80666bc29d30fd98e43c3a5e7742e3fa7ec13536242e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
e08c9192bd2fac29d7cecdbd3ff75802

SHA1
4688ff1676fa22b774edee00d35dbb213aa7a28c

SHA256
7437829deedcb6b5f9d2c67fc26191fb142ab19eef958793867c2ef92651d2ae

SHA512
6b75462dfbf2402a19eb9b67624d3ac47f2e32aacf0c542b22334badf936a24f1e34173eb56fb673100f33e9c2a83c18b5474545ca9f72068c404f83ff35cfb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\obich2394619.exe

Filesize
658KB

MD5
37d15999173d91a0a29db83c6962912d

SHA1
1100641ebfc52ecd245d9fd303074f8051dc8ac7

SHA256
2214a1536f1997efda81e136d845661f0178b44a6b104f72d7f73628e6158d08

SHA512
32ca859b827ccabe15fa443d4bcf62e9adfe511ec5ab3ca9983224db256dfbb9783904c6a38056b5b9b584458eed33acd4a2c1ad009aabfe1cba632dc3d9efba

Download Submit
C:\Users\Admin\AppData\Roaming\obich2394619.exe

Filesize
658KB

MD5
37d15999173d91a0a29db83c6962912d

SHA1
1100641ebfc52ecd245d9fd303074f8051dc8ac7

SHA256
2214a1536f1997efda81e136d845661f0178b44a6b104f72d7f73628e6158d08

SHA512
32ca859b827ccabe15fa443d4bcf62e9adfe511ec5ab3ca9983224db256dfbb9783904c6a38056b5b9b584458eed33acd4a2c1ad009aabfe1cba632dc3d9efba

Download Submit
C:\Users\Admin\AppData\Roaming\obich2394619.exe

Filesize
658KB

MD5
37d15999173d91a0a29db83c6962912d

SHA1
1100641ebfc52ecd245d9fd303074f8051dc8ac7

SHA256
2214a1536f1997efda81e136d845661f0178b44a6b104f72d7f73628e6158d08

SHA512
32ca859b827ccabe15fa443d4bcf62e9adfe511ec5ab3ca9983224db256dfbb9783904c6a38056b5b9b584458eed33acd4a2c1ad009aabfe1cba632dc3d9efba

Download Submit
C:\Users\Admin\AppData\Roaming\obich2394619.exe

Filesize
658KB

MD5
37d15999173d91a0a29db83c6962912d

SHA1
1100641ebfc52ecd245d9fd303074f8051dc8ac7

SHA256
2214a1536f1997efda81e136d845661f0178b44a6b104f72d7f73628e6158d08

SHA512
32ca859b827ccabe15fa443d4bcf62e9adfe511ec5ab3ca9983224db256dfbb9783904c6a38056b5b9b584458eed33acd4a2c1ad009aabfe1cba632dc3d9efba

Download Submit
\Users\Admin\AppData\Roaming\obich2394619.exe

Filesize
658KB

MD5
37d15999173d91a0a29db83c6962912d

SHA1
1100641ebfc52ecd245d9fd303074f8051dc8ac7

SHA256
2214a1536f1997efda81e136d845661f0178b44a6b104f72d7f73628e6158d08

SHA512
32ca859b827ccabe15fa443d4bcf62e9adfe511ec5ab3ca9983224db256dfbb9783904c6a38056b5b9b584458eed33acd4a2c1ad009aabfe1cba632dc3d9efba

Download Submit
memory/528-123-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/528-132-0x0000000069F20000-0x000000006A60E000-memory.dmp

Filesize
6.9MB

Download
memory/528-135-0x00000000011E0000-0x0000000001220000-memory.dmp

Filesize
256KB

Download
memory/528-134-0x0000000069F20000-0x000000006A60E000-memory.dmp

Filesize
6.9MB

Download
memory/528-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-113-0x000000007125D000-0x0000000071268000-memory.dmp

Filesize
44KB

Download
memory/1128-160-0x000000007125D000-0x0000000071268000-memory.dmp

Filesize
44KB

Download
memory/1128-159-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1128-0-0x000000002FAE1000-0x000000002FAE2000-memory.dmp

Filesize
4KB

Download
memory/1128-2-0x000000007125D000-0x0000000071268000-memory.dmp

Filesize
44KB

Download
memory/1128-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2288-114-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2288-95-0x00000000012A0000-0x000000000134A000-memory.dmp

Filesize
680KB

Download
memory/2288-97-0x000000006AAF0000-0x000000006B1DE000-memory.dmp

Filesize
6.9MB

Download
memory/2288-103-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2288-98-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2288-128-0x000000006AAF0000-0x000000006B1DE000-memory.dmp

Filesize
6.9MB

Download
memory/2288-115-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/2288-116-0x00000000048B0000-0x000000000492E000-memory.dmp

Filesize
504KB

Download