agenttesla | e6be399576b6bc96254e00a8743115604bf1dff765789d3483d3650575de6129

Analysis

max time kernel
545s
max time network
401s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x (2).xls
Size

323KB
MD5

2be86255d5c58c9d1452c9cf39a6a66d
SHA1

058d72f3e45476408ffaca4ce9f7b39a05ed3405
SHA256

e6be399576b6bc96254e00a8743115604bf1dff765789d3483d3650575de6129
SHA512

7d00f8f3f4d7d287b3731cf7c6631824255066b1aae4adaa641837e258f34be7aa50ea3b42b2b9d4822fb10a9ef3ee0507851c6dedb36ed2fc98cd975c5e9d41
SSDEEP

6144:cuunJ1qZ+RwPONXoRjDhIcp0fDlavx+fgLt0d6oivSbVjHyNI89GQ8PYZMm/wOGP:cvJ1J3bVjyNI89f8P4wTUoIEn

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.dmsinnovative.ro
Port:
587
Username:
[email protected]
Password:
Haftasar23
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	1928	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
2676	HJC.exe
1768	HJC.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	EQNEDT32.EXE

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api.ipify.org
15	api.ipify.org
23	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 1768	2676	HJC.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1464	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1928	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1724	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1884	powershell.exe
588	powershell.exe
1768	HJC.exe
1768	HJC.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1768	HJC.exe
Token: SeShutdownPrivilege	1724	EXCEL.EXE
Token: SeShutdownPrivilege	2588	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1724	EXCEL.EXE
1724	EXCEL.EXE
1724	EXCEL.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2676	1928	EQNEDT32.EXE	31
PID 1928 wrote to memory of 2676	1928	EQNEDT32.EXE	31
PID 1928 wrote to memory of 2676	1928	EQNEDT32.EXE	31
PID 1928 wrote to memory of 2676	1928	EQNEDT32.EXE	31
PID 2588 wrote to memory of 1480	2588	WINWORD.EXE	32
PID 2588 wrote to memory of 1480	2588	WINWORD.EXE	32
PID 2588 wrote to memory of 1480	2588	WINWORD.EXE	32
PID 2588 wrote to memory of 1480	2588	WINWORD.EXE	32
PID 2676 wrote to memory of 588	2676	HJC.exe	34
PID 2676 wrote to memory of 588	2676	HJC.exe	34
PID 2676 wrote to memory of 588	2676	HJC.exe	34
PID 2676 wrote to memory of 588	2676	HJC.exe	34
PID 2676 wrote to memory of 1884	2676	HJC.exe	36
PID 2676 wrote to memory of 1884	2676	HJC.exe	36
PID 2676 wrote to memory of 1884	2676	HJC.exe	36
PID 2676 wrote to memory of 1884	2676	HJC.exe	36
PID 2676 wrote to memory of 1464	2676	HJC.exe	37
PID 2676 wrote to memory of 1464	2676	HJC.exe	37
PID 2676 wrote to memory of 1464	2676	HJC.exe	37
PID 2676 wrote to memory of 1464	2676	HJC.exe	37
PID 2676 wrote to memory of 1768	2676	HJC.exe	40
PID 2676 wrote to memory of 1768	2676	HJC.exe	40
PID 2676 wrote to memory of 1768	2676	HJC.exe	40
PID 2676 wrote to memory of 1768	2676	HJC.exe	40
PID 2676 wrote to memory of 1768	2676	HJC.exe	40
PID 2676 wrote to memory of 1768	2676	HJC.exe	40
PID 2676 wrote to memory of 1768	2676	HJC.exe	40
PID 2676 wrote to memory of 1768	2676	HJC.exe	40
PID 2676 wrote to memory of 1768	2676	HJC.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\x (2).xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1480

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Roaming\HJC.exe
  "C:\Users\Admin\AppData\Roaming\HJC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HJC.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rvhClFSuTC.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rvhClFSuTC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A40.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1464
- - C:\Users\Admin\AppData\Roaming\HJC.exe
    "C:\Users\Admin\AppData\Roaming\HJC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{00B728A4-8960-4CBF-83AE-14B6286E7C18}.FSD

Filesize
128KB

MD5
41b8c4369764d782e065d37619ff4019

SHA1
252ce7c94821cd1f8100d17bd9f5fe446354042f

SHA256
f974dcee023e95e5bf74a00dee4c8eff977b420bb27cdff236e2074e5fd8a8d3

SHA512
c8a2616be330d12bbd2e5eb3929a3a5d8e3b63feb32db8ff08e90d8eb3f2f41bc913162b59a7158a4c185dd32ab536653eb2b3c28875be6eb8a454e8fe339bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DCF0C963-9EF9-4D79-AE7B-9A4B3903E630}.FSD

Filesize
128KB

MD5
17c2015149279738888b9bdc66fae22e

SHA1
6a9a6b08fa94e3fcb5b388795447cf9693bcaa01

SHA256
0064d5d7cf00291601b500e76347d3bdab606d765f1481cd2c8fec494d49ffe4

SHA512
f094cb53f3ba1a4c9e030d3482810b37827d7a9fc4a93f0062384a04c9e867140cb298c56bf50a8a47153ab9384fd5e8a54aa994bd85b9cfe46556edd260f727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BO5VDUUS\iwillkissherwithentirethingstodowithouthavinghistalenttokissherwithlotofloveitrulylovedherwithoutinformation___ireallywantotlovehertrulysheismy[1].doc

Filesize
78KB

MD5
ed096dddbfcf9b78a74e3f65f30c0352

SHA1
4e736672d662dce4d9f5ee13324c41caa13b6743

SHA256
f73be5ad393981cda5dcc30559f1a3c034540ffe13d03d6016d1bf3ccf03feb5

SHA512
22c6828e0ce9f193b680e577da2b2a02219aef64ee9e86c39b25a29b61b0079fd68d31ecf7282d29f7bc909804e761dbbe9b53f9c903918c4e3a37ab756b494f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A40.tmp

Filesize
1KB

MD5
18b24f24c65f85c42dae20fb479ca55d

SHA1
718fed3e74bebe3e4010aaf4aadeea7423365cda

SHA256
b0e5362387bdc4b719f0ccb0efa24654209efeb068f4e8c10fab340d508505c5

SHA512
90d99d8826ba10a3c61910de694c7f99946a7e72443ed6d3f92788898c3f3bc793647ac80f4f980b88479c337910f7ad4d405d11b4c13312ed7b4e3615123134

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FC6A9982-6276-4AC9-9F2B-F30E6D2566F8}

Filesize
128KB

MD5
3ae580250968b57b36aae6df118d8b12

SHA1
ed122a49dccdf4fba3eec21cb502255bcd2a4aa5

SHA256
55d7deafd4a3180b13a647ab604ab4d0ca87b01dec816c1c61ec6f23b7fbec55

SHA512
1bf64e5bad8312a87a839b56e7cda9dda342daceb56c00d85a812f2fbeaae40e5729979910eba2978cf2f03a834d837d15957a858789f79770a0a989000f88b8

Download Submit
C:\Users\Admin\AppData\Roaming\HJC.exe

Filesize
652KB

MD5
d38790d5f832f007c8031e22d1b8d9f8

SHA1
c7aa58c8743e66dad54d1586ad39203b798d452a

SHA256
13a6b2f5611a02e6f7fda7652cc97d35c000fe045bf405f8e306fa67292dc5cf

SHA512
dc0c9b1cab4f13206e4c7b25c1776994c718e7dd0acb808e59e1149f8dd40ec2c5248803e2b6ae2db17c1f17c0d62ce56ecaae039651c275eb4cb0609bb3b968

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7c237004452d0f8167d8952cd78e028f

SHA1
371869254a4b0b235772f12d64f382067f0645f5

SHA256
a973b0687f9490cbf9f670392070b3ae60c0eb4104c177d935163acb9eaaaee5

SHA512
361b6440ce64d06813fe387b9cd8032b2f0ce14436e89e8d7e24e420b389c5ecd7bfb7f235c2143bd3889f94604de5c3feb50c4ee9255995b96cd8200fa56da4

Download Submit
memory/588-149-0x0000000065530000-0x0000000065ADB000-memory.dmp

Filesize
5.7MB

Download
memory/588-120-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/588-119-0x0000000065530000-0x0000000065ADB000-memory.dmp

Filesize
5.7MB

Download
memory/588-126-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/588-131-0x0000000065530000-0x0000000065ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1724-10-0x0000000002310000-0x0000000002312000-memory.dmp

Filesize
8KB

Download
memory/1724-1-0x0000000071F7D000-0x0000000071F88000-memory.dmp

Filesize
44KB

Download
memory/1724-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1724-103-0x0000000071F7D000-0x0000000071F88000-memory.dmp

Filesize
44KB

Download
memory/1768-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-137-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1768-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-146-0x0000000069790000-0x0000000069E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-147-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/1768-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-164-0x0000000069790000-0x0000000069E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-165-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/1768-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1884-122-0x0000000065530000-0x0000000065ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-148-0x0000000065530000-0x0000000065ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-133-0x0000000065530000-0x0000000065ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-123-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/1884-134-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/1884-121-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2588-5-0x000000002FC91000-0x000000002FC92000-memory.dmp

Filesize
4KB

Download
memory/2588-7-0x0000000071F7D000-0x0000000071F88000-memory.dmp

Filesize
44KB

Download
memory/2588-9-0x00000000036D0000-0x00000000036D2000-memory.dmp

Filesize
8KB

Download
memory/2588-128-0x0000000071F7D000-0x0000000071F88000-memory.dmp

Filesize
44KB

Download
memory/2676-102-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/2676-101-0x0000000000F50000-0x0000000000F90000-memory.dmp

Filesize
256KB

Download
memory/2676-99-0x0000000069DF0000-0x000000006A4DE000-memory.dmp

Filesize
6.9MB

Download
memory/2676-98-0x0000000000FE0000-0x000000000108A000-memory.dmp

Filesize
680KB

Download
memory/2676-142-0x0000000069DF0000-0x000000006A4DE000-memory.dmp

Filesize
6.9MB

Download
memory/2676-104-0x0000000000940000-0x000000000094E000-memory.dmp

Filesize
56KB

Download
memory/2676-105-0x0000000000950000-0x0000000000964000-memory.dmp

Filesize
80KB

Download
memory/2676-106-0x0000000000B90000-0x0000000000C14000-memory.dmp

Filesize
528KB

Download