agenttesla | e8fac55896700a6e6505cc1b8d4f98570358c0a1275564d587845cfb5ec47068

General

Target

New Order 3118.rtf
Size

3KB
MD5

99a565b1df705062e82bd4d7587c2959
SHA1

1817b3ef54cf96f71bbb581ef21c37c820c125f0
SHA256

e8fac55896700a6e6505cc1b8d4f98570358c0a1275564d587845cfb5ec47068
SHA512

6893bb6540e7c92cb2d39dae83dd7e16a5ed0cc8bc468e13d65dc1a4e5b909bc9a249b306323167a986ee199b6ff6a9d444b673028e4b92aeb9b0b62607ed15c

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.gosportz.in
Port:
587
Username:
[email protected]
Password:
Ss@gosportz
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 4 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 2444 EQNEDT32.EXE
5 2444 EQNEDT32.EXE
8 2444 EQNEDT32.EXE
10 2444 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

word.exe

pid process

2488 word.exe
Loads dropped DLL 6 IoCs

Processes:

EQNEDT32.EXEWerFault.exe

pid process

2444 EQNEDT32.EXE
1984 WerFault.exe
1984 WerFault.exe
1984 WerFault.exe
1984 WerFault.exe
1984 WerFault.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
12 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

word.exe

description pid process target process

PID 2488 set thread context of 2328 2488 word.exe regsvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2444 EQNEDT32.EXE

flow	pid	process
4	2444	EQNEDT32.EXE
5	2444	EQNEDT32.EXE
8	2444	EQNEDT32.EXE
10	2444	EQNEDT32.EXE

pid	process
2444	EQNEDT32.EXE
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe

flow	ioc
11	api.ipify.org
12	api.ipify.org

description	pid	process	target process
PID 2488 set thread context of 2328	2488	word.exe	regsvcs.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2444	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1844 WINWORD.EXE

pid	process
1844	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

word.exeregsvcs.exe

pid	process
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2488	word.exe
2328	regsvcs.exe
2328	regsvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

word.exeregsvcs.exe

description pid process

Token: SeDebugPrivilege 2488 word.exe
Token: SeDebugPrivilege 2328 regsvcs.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEregsvcs.exe

pid process

1844 WINWORD.EXE
1844 WINWORD.EXE
2328 regsvcs.exe

description	pid	process
Token: SeDebugPrivilege	2488	word.exe
Token: SeDebugPrivilege	2328	regsvcs.exe

pid	process
1844	WINWORD.EXE
1844	WINWORD.EXE
2328	regsvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EQNEDT32.EXEword.exe

description	pid	process	target process
PID 2444 wrote to memory of 2488	2444	EQNEDT32.EXE	word.exe
PID 2444 wrote to memory of 2488	2444	EQNEDT32.EXE	word.exe
PID 2444 wrote to memory of 2488	2444	EQNEDT32.EXE	word.exe
PID 2444 wrote to memory of 2488	2444	EQNEDT32.EXE	word.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 2328	2488	word.exe	regsvcs.exe
PID 2488 wrote to memory of 1984	2488	word.exe	WerFault.exe
PID 2488 wrote to memory of 1984	2488	word.exe	WerFault.exe
PID 2488 wrote to memory of 1984	2488	word.exe	WerFault.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New Order 3118.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\AppData\Roaming\word.exe
C:\Users\Admin\AppData\Roaming\word.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2488 -s 736
3⤵
- Loads dropped DLL
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\word.exe
Filesize
703KB

MD5
65a47399be896d919d389ef7ff10d2d3

SHA1
2b7b23c447ac4a0d5cf8ee7854c4de4d7d9fbff5

SHA256
362817c5d64cbceace5cb56167e75587b9c81b39f34a8bb86d842fa87cdbacf1

SHA512
18a4b3a3236f5d7f69bcea6c13605fab1e4d9879a6b9f13b684203087f030c69904284f5eff031cd7864a449fe65d7355659e88eaa978c44bdf3e65655a4ff97

Download Submit
\Users\Admin\AppData\Roaming\word.exe
Filesize
270KB

MD5
c517141c53fef87b783709b53b5af6e1

SHA1
0d5d72e962d228880d76dc73a14b3a51afe32c94

SHA256
1a669065aa1a654d75c0f67e500ddedf583416822f320b2e990cd42068d82d48

SHA512
e1a3e24dcd7d25a69ecb789879f1f68e3edb6c325f814ff0c8ecb8840b367a48de054a7111d97d6b02a8f31c15819f1ea482f76b49cb2ebb9309587838b262db

Download Submit
\Users\Admin\AppData\Roaming\word.exe
Filesize
265KB

MD5
0e2520f305ca358f391094b000c48f94

SHA1
cf881c59b586daaa36358572491d973c442478e9

SHA256
6f0920ee060770e906cb8d60dc9a9885339f71ceb3b8a0cdc88a8fb74a015afb

SHA512
d2441f2e50b8bdcbf7c5bea62ad3a71bf02844ced76dba87942672cbe4ab4d3dcde7cdc8f30ae3c863ad1934543f7b35fadb20fd7b5ea84120b6ffd9d3072be2

Download Submit
\Users\Admin\AppData\Roaming\word.exe
Filesize
210KB

MD5
8a2a1d5ec1ef76d8308155e55fd6d912

SHA1
24e4d4b1fd2d0e8c2ee3db8e5196f62325585723

SHA256
22070d72b253d60ceaea07706b887705e14998005063f8c3392a9125ab8affc4

SHA512
1f89da2861a950601ad7f37c038cfe8ed4ce7e524ad4f232be43218f5d0d9af27340a7e66199111df38465db6e436be41f638e7da2a0936551c0dc4d368bfb76

Download Submit
\Users\Admin\AppData\Roaming\word.exe
Filesize
258KB

MD5
d0ff90703574364c5c8df29cee862b19

SHA1
2e0bcaf78e39cec8f5611cd13d8d8ca441723581

SHA256
bb0bab7b2d4962334deeb16aad86b94388a0e320da843a81a0a528b1958872d0

SHA512
7c7f6758be6776ad8cabc0d28fa135f2470ece4f47aebb908fe201129813ddeca478878d079ee296e618abd8b02663cc0b552345f47c02af5186706015d2ae7a

Download Submit
\Users\Admin\AppData\Roaming\word.exe
Filesize
269KB

MD5
5655af8ef5eeb7c051262e31c2dee9b6

SHA1
880a54f66939a3ee86848303cb69b4083ac66f9e

SHA256
365f62a80445b361f1841645a03944e0218361dbc018b11039e159a35ba510ea

SHA512
75be148f7ede696b68c8d7d5ad4af90b9e71ca4b3e890be06f1f1e473a2fc046725321e31490e5d5d50cb2d243be47664d06be3e46df526519c7327416dc0a7d

Download Submit
memory/1844-0-0x000000002FB91000-0x000000002FB92000-memory.dmp

Filesize
4KB

Download
memory/1844-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1844-2-0x00000000713ED000-0x00000000713F8000-memory.dmp

Filesize
44KB

Download
memory/1844-56-0x00000000713ED000-0x00000000713F8000-memory.dmp

Filesize
44KB

Download
memory/2328-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2328-55-0x000000006ADB0000-0x000000006B49E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-38-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-43-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-60-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2328-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-59-0x000000006ADB0000-0x000000006B49E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-31-0x000000001ACE0000-0x000000001AD60000-memory.dmp

Filesize
512KB

Download
memory/2488-29-0x0000000001060000-0x0000000001080000-memory.dmp

Filesize
128KB

Download
memory/2488-57-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2488-58-0x000000001ACE0000-0x000000001AD60000-memory.dmp

Filesize
512KB

Download
memory/2488-30-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2488-37-0x0000000000D30000-0x0000000000DC6000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads