agenttesla | 02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
08-12-2023 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_Copy.xls
Size

392KB
MD5

c53132c26ed5a87968bd23ff41c485ba
SHA1

01b1a3c676dbc370fb1916ef17f9bb0309d5b966
SHA256

02e273a2f40b1a10f15b08d4dee9356f778a82ee48dc9bad878fb4d789d01431
SHA512

5a09beb5a19c3be45f22e3e7e5e88fbabca1790ede5f38867d1976ce9017ca670797ae8c180666b0e4332803f01e3219f70727915f71507b5bf350f66d17d304
SSDEEP

6144:Cn1m9kdb/PpeZHVl3S4qQygZpuUXI+FzkEM3Kajs5yiIIrjj5vQDwMm4EHnO:COeDuni5XgZTI+eEuKGiIIryDLm42

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.experthvac.ro
Port:
21
Username:
[email protected]
Password:
-8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

9 1864 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

wlanext.exe

pid process

1848 wlanext.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1864 EQNEDT32.EXE
1864 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
9	1864	EQNEDT32.EXE

pid	process
1848	wlanext.exe

pid	process
1864	EQNEDT32.EXE
1864	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wlanext.exe

description pid process target process

PID 1848 set thread context of 1440 1848 wlanext.exe RegAsm.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1864 EQNEDT32.EXE

description	pid	process	target process
PID 1848 set thread context of 1440	1848	wlanext.exe	RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1864	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1456 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wlanext.exe

pid process

1848 wlanext.exe
1848 wlanext.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wlanext.exeRegAsm.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1848 wlanext.exe
Token: SeDebugPrivilege 1440 RegAsm.exe
Token: SeShutdownPrivilege 2272 WINWORD.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1456 EXCEL.EXE
1456 EXCEL.EXE
1456 EXCEL.EXE
2272 WINWORD.EXE
2272 WINWORD.EXE

pid	process
1456	EXCEL.EXE

pid	process
1848	wlanext.exe
1848	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	1848	wlanext.exe
Token: SeDebugPrivilege	1440	RegAsm.exe
Token: SeShutdownPrivilege	2272	WINWORD.EXE

pid	process
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
2272	WINWORD.EXE
2272	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEwlanext.exe

description	pid	process	target process
PID 1864 wrote to memory of 1848	1864	EQNEDT32.EXE	wlanext.exe
PID 1864 wrote to memory of 1848	1864	EQNEDT32.EXE	wlanext.exe
PID 1864 wrote to memory of 1848	1864	EQNEDT32.EXE	wlanext.exe
PID 1864 wrote to memory of 1848	1864	EQNEDT32.EXE	wlanext.exe
PID 2272 wrote to memory of 1592	2272	WINWORD.EXE	splwow64.exe
PID 2272 wrote to memory of 1592	2272	WINWORD.EXE	splwow64.exe
PID 2272 wrote to memory of 1592	2272	WINWORD.EXE	splwow64.exe
PID 2272 wrote to memory of 1592	2272	WINWORD.EXE	splwow64.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe
PID 1848 wrote to memory of 1440	1848	wlanext.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO_Copy.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1592

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
505ebcda9f248e44e565c4c53127cce3

SHA1
676a6f9c74efd2e2eb54fcd4f19199aa177aaf5f

SHA256
504b5aa6d5213f6ad3b1aabd85bc545a6a0e38ee80e1f92329200a96a94ba078

SHA512
635711b7c04075f9e1b1424261f96af9638ab3a71fedb26c1e88cc114fe2bb1ef14d737b8ae864cc103036c6b58b29a220cb4279135e412eb4ad2471f88641fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{137827F9-7D53-4706-B5C9-A3D51D05BA85}.FSD

Filesize
128KB

MD5
cfff3b8743119550253b3a68b866c582

SHA1
73fce0b9cc032331b779213cbb771e6a6eca17b5

SHA256
4e1c9beb0cfb34e30e76ca1b899232a1941cd00003c403b9424d2323578180e3

SHA512
1d66c2c55fe86c316b84f853316ba0dbe597b7e36786afbbb7badf30761287449533efcc97b4fd31534f8e91b8e443eebada3f0752f5b531d718651933119e5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
89602184cfaa2fc670906adcf551ad4c

SHA1
1b7e74096063388bc96be315938463a82742a905

SHA256
8a7824f0902abf27c4c4702892d79798b97044db04ee22e9b8c7eda46e57425a

SHA512
5889e679c66a1a4571c743c21f5634163a63d63ee29002ffa379f4986946574d9b3a003e9b8f280d965820a550a6333f20f315ce2a050c69003c26d4922f5649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FF90E9A6-56E1-4922-98F7-9B8D0F7213F4}.FSD

Filesize
128KB

MD5
3617a650ba3d8813c4552e20579ef628

SHA1
3aba1d2b905b86397616496e45dd3b65874887e5

SHA256
4f0bb0a938a3dc799ab971730cd14c04d715361b6fcb69804baacb6b95ccc374

SHA512
395c22bb124d0e9f40d036822e52b06093c5e34b0214c1da8ec462fb698e43ce86a69883ac9158e0071dac510c91ce532b0bf99e489dc51998207d345b794b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K7OQK7H1\Microsoftdecidedtodeleteentirehistorycachecookieeverythingfromthepc[1].doc

Filesize
68KB

MD5
2163e4abe634b604518567a27c2b57cd

SHA1
5ce02ec2b65a3771777e58879d30dd8d6fc92a79

SHA256
f997d796da5616a7f6b3c4affbe516c5995de5e24a13c3fad56e51f1e554c78e

SHA512
44e2d44d41be24f93c9a828330ac83de4cab387ae916fa4cc91313dfbf2906dd0a375580d4c5e3bb0b02720e0b2920a0cbcf0d7e21516ce5f62b80cb24af7370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A81888C3.doc

Filesize
68KB

MD5
2163e4abe634b604518567a27c2b57cd

SHA1
5ce02ec2b65a3771777e58879d30dd8d6fc92a79

SHA256
f997d796da5616a7f6b3c4affbe516c5995de5e24a13c3fad56e51f1e554c78e

SHA512
44e2d44d41be24f93c9a828330ac83de4cab387ae916fa4cc91313dfbf2906dd0a375580d4c5e3bb0b02720e0b2920a0cbcf0d7e21516ce5f62b80cb24af7370

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5301BB6B-DB36-47CB-B83A-0EE652ABFE54}

Filesize
128KB

MD5
63c616972a3280aa0352d56f06b520f7

SHA1
f32a535ae0e2dbe710c1b9c997ffb54d263441fc

SHA256
34308834fb655c9e00e74e47cd5900da1501aa13a216048e01701949a9ae22ec

SHA512
20c603071c4617714dd4220586f3e29d4c6038fb10d3ee4a5af3f2f2f2aa1ecd780d72a3a8f1fd945f143461999c471ab77d8ed46ed8ad073f54817bb1f8217d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c68f01617c09c09a23eeccb2833dbba8

SHA1
abe4c7953c270f8ff3fe5f0780f2659dd352e450

SHA256
471460c3edf0459d6681a64321a9878b4a138bee924c50d74554334438bf385a

SHA512
8d984a2513397ae30539dcc282ce0e0c7ff23efd0ccc17a004630f97a6511889a965806ef3a99af80c74a2ad687d247300f2918635ef1b885eb00b2507fd6981

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
823KB

MD5
3713c253ab56bf85aaa806fc41cc6905

SHA1
cf59aac87590bb5f3bba092f20455b097a1ffab5

SHA256
ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

SHA512
ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
823KB

MD5
3713c253ab56bf85aaa806fc41cc6905

SHA1
cf59aac87590bb5f3bba092f20455b097a1ffab5

SHA256
ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

SHA512
ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
823KB

MD5
3713c253ab56bf85aaa806fc41cc6905

SHA1
cf59aac87590bb5f3bba092f20455b097a1ffab5

SHA256
ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

SHA512
ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
823KB

MD5
3713c253ab56bf85aaa806fc41cc6905

SHA1
cf59aac87590bb5f3bba092f20455b097a1ffab5

SHA256
ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

SHA512
ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
823KB

MD5
3713c253ab56bf85aaa806fc41cc6905

SHA1
cf59aac87590bb5f3bba092f20455b097a1ffab5

SHA256
ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

SHA512
ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

Download Submit
memory/1440-114-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1440-110-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1440-123-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1440-120-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1440-118-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1440-116-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1440-115-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1440-112-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1456-1-0x00000000721DD000-0x00000000721E8000-memory.dmp

Filesize
44KB

Download
memory/1456-8-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/1456-104-0x00000000721DD000-0x00000000721E8000-memory.dmp

Filesize
44KB

Download
memory/1456-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1848-102-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/1848-100-0x000000006A5E0000-0x000000006ACCE000-memory.dmp

Filesize
6.9MB

Download
memory/1848-109-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/1848-107-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/1848-106-0x000000006A5E0000-0x000000006ACCE000-memory.dmp

Filesize
6.9MB

Download
memory/1848-121-0x000000006A5E0000-0x000000006ACCE000-memory.dmp

Filesize
6.9MB

Download
memory/1848-103-0x0000000004210000-0x0000000004254000-memory.dmp

Filesize
272KB

Download
memory/1848-108-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/1848-99-0x0000000000800000-0x00000000008D4000-memory.dmp

Filesize
848KB

Download
memory/2272-3-0x000000002FEF1000-0x000000002FEF2000-memory.dmp

Filesize
4KB

Download
memory/2272-105-0x00000000721DD000-0x00000000721E8000-memory.dmp

Filesize
44KB

Download
memory/2272-5-0x00000000721DD000-0x00000000721E8000-memory.dmp

Filesize
44KB

Download
memory/2272-7-0x0000000004590000-0x0000000004592000-memory.dmp

Filesize
8KB

Download
memory/2272-145-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2272-146-0x00000000721DD000-0x00000000721E8000-memory.dmp

Filesize
44KB

Download