Analysis
-
max time kernel
144s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 15:33
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.25589.9954.xls
Resource
win7-20231215-en
General
-
Target
SecuriteInfo.com.Heur.25589.9954.xls
-
Size
275KB
-
MD5
e108b870cba8e39e516076ca3989372b
-
SHA1
439fd0bdcf0319994f9b91f28d4f2b2a5bde0874
-
SHA256
69f40c2f6a4540550f934e0b2f9a354629d3835b30fd13293c2f6a6b97202159
-
SHA512
710235888d211b49f89d97d2cd32a7ac47922cbe421a3eb0fbb7f50a2b5f2e46236a6b64843cf29e6163c32798b48f46b6e1fca318f8cfc04045f00bf30d244a
-
SSDEEP
6144:5kunhVY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVLOMI2n1WbMS5Fuhix2c:5tC3bVLOMIg9Y
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.kabeercommodities.com - Port:
587 - Username:
[email protected] - Password:
w{A6H.o&sz%g - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 9 2564 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 3 IoCs
Processes:
conhost.execonhost.execonhost.exepid process 1952 conhost.exe 2872 conhost.exe 2824 conhost.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2564 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org 11 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 1952 set thread context of 2824 1952 conhost.exe conhost.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1384 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
conhost.execonhost.exepid process 1952 conhost.exe 1952 conhost.exe 2824 conhost.exe 2824 conhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
conhost.execonhost.exedescription pid process Token: SeDebugPrivilege 1952 conhost.exe Token: SeDebugPrivilege 2824 conhost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1384 EXCEL.EXE 1384 EXCEL.EXE 1384 EXCEL.EXE 624 WINWORD.EXE 624 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEconhost.exedescription pid process target process PID 2564 wrote to memory of 1952 2564 EQNEDT32.EXE conhost.exe PID 2564 wrote to memory of 1952 2564 EQNEDT32.EXE conhost.exe PID 2564 wrote to memory of 1952 2564 EQNEDT32.EXE conhost.exe PID 2564 wrote to memory of 1952 2564 EQNEDT32.EXE conhost.exe PID 624 wrote to memory of 2152 624 WINWORD.EXE splwow64.exe PID 624 wrote to memory of 2152 624 WINWORD.EXE splwow64.exe PID 624 wrote to memory of 2152 624 WINWORD.EXE splwow64.exe PID 624 wrote to memory of 2152 624 WINWORD.EXE splwow64.exe PID 1952 wrote to memory of 2872 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2872 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2872 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2872 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2824 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2824 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2824 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2824 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2824 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2824 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2824 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2824 1952 conhost.exe conhost.exe PID 1952 wrote to memory of 2824 1952 conhost.exe conhost.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25589.9954.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1384
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2152
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"3⤵
- Executes dropped EXE
PID:2872 -
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F2010D12-7FC2-4A2F-B4FF-82D2A6A88FC0}.FSDFilesize
128KB
MD58661887cf3224a5cd6c5b27db4962074
SHA1b263fc6b27bd5997e7417cd41080af3383df2e74
SHA25614ac30d9e825699a6e64c7c8941aa0bf1220e90b45353dbcae8a1644614bec83
SHA512c8e5d4f1035595dd63b90b78c89c375234ad7a263a3ec6eef18fd587d25fdf61878fd5ed0ed926c821cb915740d7d8eff823697a474a2f580d6c2face1087b77
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5953fc6ce2ba430e5233df46b3b776532
SHA109ec10103af8dc0462e6a257892ba44aca945081
SHA256c0c7bb2db07797cae2bd56204c94ed70249c3a1bc94ecfa3848061d8b754b5c4
SHA512eab7984e06709b3c64dbf8d3598cc15bda0ffb2448cd7865f464be5922a954073479bc79700bd4627b7e760551d7b629def6c8b333015d4529c74f6e1acf1e93
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JIH1AB02\vnextofficeupdationwaitingfortheentireprocesstocompleteandimprovethethecnonologyfornew[1].docFilesize
65KB
MD5869dc88123916a7193c56809db6b5e97
SHA1fb285a3be57ea12e4884152c9542dbcc4b3d1b6d
SHA256d144a111d023b667aa6a2f56af76323943ae9553b6629afe91131dfd2d5f2e0b
SHA51267bd25e403c355090ad1db59f9f15426595c7c70ab77d85cb3678bfac5c939f4a3f72d6caf713dd2ca8f2df4f8f908f190940c2035afd5efbf9e6916f52f2081
-
C:\Users\Admin\AppData\Local\Temp\{85F137EE-3AA7-4F9F-96D0-DAAB50FCE847}Filesize
128KB
MD5e15056751e28099c973e99726e777ba0
SHA1e6db22a4963f034e16b6d2af026fa3d786a1f93c
SHA25665238512e04de3bfa5a7462c7218d5b99fbe98362005ef87ebe27f5a59fd0a4b
SHA512352df54322af21b42999bd0fb8b0fe9fc3630dfa1192d74940eb685900afa0327bf464925f2974c2aafe94e95fe79da44cf1ef1166d9f8e12ac8b52bf0ab88fc
-
C:\Users\Admin\AppData\Roaming\conhost.exeFilesize
504KB
MD57f197736d08b01265597a9df15ebb346
SHA1506cd0b4b2a2171bd775c865bcaa18f850a8b2d9
SHA256f9b87bfdd0157482c04d254b505d38b7223f421bcc3427ba99de9f583d6faa77
SHA512d6dfe9c232cffaeb09061437e419cb96a3eab7c0666878e64243378e5e89d7fb42f4e942b19a429d4ab6b7bca80a038daa7662df1aa051b9a5fb723daf443c74
-
C:\Users\Admin\AppData\Roaming\conhost.exeFilesize
610KB
MD5b90adcc386503d5864f6df6bfaa3409b
SHA123bc57deb41d02b582a5ae03d8e94a5732b0f959
SHA25624b2c5278a4d80c22994b4d9727293aa6641ae9947f7ed522b7b5f44fa1f7a63
SHA512b2a2264d2ec247b2cebe94469bd5fdda87fd257222643fa5321686a99df12657fe86f87e7333f75c0c654cdc1fd0817c79909f6bfa407692d2a577a4c6b9e4cb
-
memory/624-9-0x0000000004090000-0x0000000004092000-memory.dmpFilesize
8KB
-
memory/624-7-0x0000000071FCD000-0x0000000071FD8000-memory.dmpFilesize
44KB
-
memory/624-5-0x000000002F561000-0x000000002F562000-memory.dmpFilesize
4KB
-
memory/624-107-0x0000000071FCD000-0x0000000071FD8000-memory.dmpFilesize
44KB
-
memory/1384-10-0x0000000002470000-0x0000000002472000-memory.dmpFilesize
8KB
-
memory/1384-103-0x0000000071FCD000-0x0000000071FD8000-memory.dmpFilesize
44KB
-
memory/1384-0-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1384-1-0x0000000071FCD000-0x0000000071FD8000-memory.dmpFilesize
44KB
-
memory/1952-104-0x00000000004C0000-0x00000000004C8000-memory.dmpFilesize
32KB
-
memory/1952-102-0x0000000000450000-0x0000000000468000-memory.dmpFilesize
96KB
-
memory/1952-101-0x0000000000820000-0x0000000000860000-memory.dmpFilesize
256KB
-
memory/1952-105-0x0000000000800000-0x000000000080C000-memory.dmpFilesize
48KB
-
memory/1952-106-0x0000000005380000-0x00000000053FA000-memory.dmpFilesize
488KB
-
memory/1952-99-0x000000006A3D0000-0x000000006AABE000-memory.dmpFilesize
6.9MB
-
memory/1952-122-0x000000006A3D0000-0x000000006AABE000-memory.dmpFilesize
6.9MB
-
memory/1952-98-0x0000000000860000-0x00000000008FE000-memory.dmpFilesize
632KB
-
memory/2824-113-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2824-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2824-121-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2824-119-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2824-111-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2824-116-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2824-112-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2824-123-0x000000006A3D0000-0x000000006AABE000-memory.dmpFilesize
6.9MB
-
memory/2824-124-0x0000000004950000-0x0000000004990000-memory.dmpFilesize
256KB
-
memory/2824-109-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2824-125-0x000000006A3D0000-0x000000006AABE000-memory.dmpFilesize
6.9MB
-
memory/2824-126-0x0000000004950000-0x0000000004990000-memory.dmpFilesize
256KB