agenttesla | 47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75

Analysis

max time kernel
83s
max time network
108s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pepsico RFQ_P1005712.xls
Size

111KB
MD5

9eba63f385b6efcc868f163cc53e5ef6
SHA1

8da5ad24a8a94e035b473f82e03a57740413998d
SHA256

47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75
SHA512

6c47a8bdfbc30422ab8805fb98f454ee8b71f65057e334a0ee7723a90d2e864efa44b02e98a3984f315222065002d3cb8894b99734807f78045811597207f342
SSDEEP

1536:VU0BRPw/jF2gE+wxQAOhUMqTjfktX/t/qr2ml8Vvygn05kTheDm/:y0WF2F8ATjio2fVvr05ehe

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.synergyinnovationsgroup.com
Port:
587
Username:
[email protected]
Password:
C@p-Y8BoHc#?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

22 808 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

2952 csrss.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEcsrss.execsrss.exe

pid process

808 EQNEDT32.EXE
2952 csrss.exe
2952 csrss.exe
324 csrss.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

csrss.exe

pid process

324 csrss.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

csrss.execsrss.exe

pid process

2952 csrss.exe
324 csrss.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

csrss.exe

description pid process target process

PID 2952 set thread context of 324 2952 csrss.exe csrss.exe
Drops file in Windows directory 1 IoCs

Processes:

csrss.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi csrss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

808 EQNEDT32.EXE

flow	pid	process
22	808	EQNEDT32.EXE

pid	process
2952	csrss.exe

pid	process
808	EQNEDT32.EXE
2952	csrss.exe
2952	csrss.exe
324	csrss.exe

pid	process
324	csrss.exe

pid	process
2952	csrss.exe
324	csrss.exe

description	pid	process	target process
PID 2952 set thread context of 324	2952	csrss.exe	csrss.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	csrss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
808	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1904 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

csrss.exe

pid process

324 csrss.exe
324 csrss.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

csrss.exe

pid process

2952 csrss.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

csrss.exe

description pid process

Token: SeDebugPrivilege 324 csrss.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1904 EXCEL.EXE
1904 EXCEL.EXE
1904 EXCEL.EXE
2432 WINWORD.EXE
2432 WINWORD.EXE
1904 EXCEL.EXE
1904 EXCEL.EXE
1904 EXCEL.EXE
1904 EXCEL.EXE

pid	process
1904	EXCEL.EXE

pid	process
324	csrss.exe
324	csrss.exe

pid	process
2952	csrss.exe

description	pid	process
Token: SeDebugPrivilege	324	csrss.exe

pid	process
1904	EXCEL.EXE
1904	EXCEL.EXE
1904	EXCEL.EXE
2432	WINWORD.EXE
2432	WINWORD.EXE
1904	EXCEL.EXE
1904	EXCEL.EXE
1904	EXCEL.EXE
1904	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEcsrss.exe

description	pid	process	target process
PID 808 wrote to memory of 2952	808	EQNEDT32.EXE	csrss.exe
PID 808 wrote to memory of 2952	808	EQNEDT32.EXE	csrss.exe
PID 808 wrote to memory of 2952	808	EQNEDT32.EXE	csrss.exe
PID 808 wrote to memory of 2952	808	EQNEDT32.EXE	csrss.exe
PID 2432 wrote to memory of 1720	2432	WINWORD.EXE	splwow64.exe
PID 2432 wrote to memory of 1720	2432	WINWORD.EXE	splwow64.exe
PID 2432 wrote to memory of 1720	2432	WINWORD.EXE	splwow64.exe
PID 2432 wrote to memory of 1720	2432	WINWORD.EXE	splwow64.exe
PID 2952 wrote to memory of 324	2952	csrss.exe	csrss.exe
PID 2952 wrote to memory of 324	2952	csrss.exe	csrss.exe
PID 2952 wrote to memory of 324	2952	csrss.exe	csrss.exe
PID 2952 wrote to memory of 324	2952	csrss.exe	csrss.exe
PID 2952 wrote to memory of 324	2952	csrss.exe	csrss.exe
PID 2952 wrote to memory of 324	2952	csrss.exe	csrss.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Pepsico RFQ_P1005712.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1720

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Roaming\csrss.exe
"C:\Users\Admin\AppData\Roaming\csrss.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Roaming\csrss.exe
"C:\Users\Admin\AppData\Roaming\csrss.exe"
3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{17EE9F7D-B154-43C6-A185-146906FD8C19}.FSD
Filesize
128KB

MD5
03d0445c932dec3e23caa98c84b382c0

SHA1
42d390cfce175dfd06d94177e7649475da836a43

SHA256
6dc74d893ff7159031f57329e457cb344ca2a2c7eba089d1f0aa7f5a8a93199a

SHA512
b1603bcfef1d3af90b41762009018dba7f69eb1ab2d1202b3d2b2a887102392b0b2b12e28c88b5dc4579ae7771316d544f649174f39a0234c0d7f8c715fe9199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
c5d626c6626db53f749cf401647d6160

SHA1
eb71186e713743e1640d0a26940f504ec7a92f5c

SHA256
8fe8345b8f9388ee0e0f378a5ff4d6ebb74b773ba4da55faec8826fcbadbd9f4

SHA512
817ee7e3fafb4c9d836b97684df161abafd4ae49fa4d3202e9e6f4548f48df71ef6086d87ad79084ccd617331c4a388d19b7a03aab7cb3a208d05bfe932b053c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
0a8274481f3b7d194e96aaa4d36ccb7f

SHA1
267600611c6bb178b3fa75508d223db98a787c7f

SHA256
766f44aefcf4a66af6b40b18fd26e59e912348d92465b2d665127ccfec0620b4

SHA512
89b027da9be92f45dea3b1bdaa7023d026bd40b0f1043125f6b5800627758ffe256bbd35d29d62a9c1d141d3357f2b5002b13eee958f536d92aea402b71fe724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{54A57937-4AD8-486A-9438-C2809B528954}.FSD
Filesize
128KB

MD5
e7200fbbde273b28d88117901352a636

SHA1
0537591cc37382b537349d461d16e97cc540f4b3

SHA256
662321125307e1c1121fd33bea2fa5e751759745c6eb415c450ed3da9d9fa6e5

SHA512
81677345ffc839b3b806e4cee817bd26e203af98b7fbf4b8b43b7d59b9ad02d747b1ef8682ceabfea385106078f35f3a7ddafbbc920ff76226ee4a7a3e8233d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\lionisthetruekingsofthejunglewhichcomaprewithtigerbecauseoftheattitudelionalwaysliontounderstandthepoweroflion__kingofthejnglelion[1].doc
Filesize
34KB

MD5
0305665fe64e9a6f1ece3d43bc5d5112

SHA1
10460b71c923225d6c368a96a7c0b7058bd65b54

SHA256
dc579de78c6ed74c526d2f3eabc5d486dcf1a046159e5eda72b1f232e495b6f2

SHA512
f359b47159ecdbbbc83e76ed00295cdd279289db6333b83d03e2a111dfb26ce873d08938345fd91083df4661253a8da26972d8cb3bc9ce93ac7ff72611f07b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19A1.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCDEC.tmp
Filesize
3B

MD5
4e27f2226785e9abbe046fc592668860

SHA1
28b18a7f383131df509f7191f946a32c5a2e410c

SHA256
01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

SHA512
2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCDEC.tmp
Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCE3C.tmp
Filesize
28B

MD5
5fbf3b955fe99b41f0df51869f57912b

SHA1
1b9ae652cb7c0d7b3c7715dce6bb48b400f8a75a

SHA256
8ef5278b3b052a64d7503807aabbd647e664b44b262646a3eaf4eff12906fa1c

SHA512
3476d6606190d1bdb59107a238efbc8a5cd45c13a1d43079e131a8c479c370c5bc5cb53f7b7d80deb333e518047da38dac77496724da19beb2e45a3879a3c1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCE3C.tmp
Filesize
56B

MD5
53b8f59e083aa7c1b4fe5ed372e3e7e4

SHA1
98782aed5619d59ed36429277fe238727387955e

SHA256
bc97a078a44781b51dc6a3d5c38147c918c8311459c1c3d5d272002c513a68af

SHA512
5ef8041026150b346839577e782a4ace6b2c9b2e3e0cc2ddd9e29dc34dbf598902e1895adf6353aaed6f56743c8d421d1dc898d188dbbaaa5bcca224e7306bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCE0D.tmp
Filesize
4B

MD5
cde63b34c142af0a38cbe83791c964f8

SHA1
ece2b194b486118b40ad12c1f0e9425dd0672424

SHA256
65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

SHA512
0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCE0D.tmp
Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCE0D.tmp
Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCE0D.tmp
Filesize
23B

MD5
cc425c0e67a76a3ef42ffd875ac98788

SHA1
81867852fcd85548b1dc0d6a4acd4135055ff869

SHA256
2787c54979c964e4cc50064d4d89581a327a02067a8efb1be41764f428e9b5ee

SHA512
da263e2abfe2b2f1809edd4f67e76051141c16ddc1fd8c19f24e494c1e2bde6cdc099799bedac0cdcc2b5e06a1d6ea2d582023d4dbfb0cf03a690f7daa09d8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCE0D.tmp
Filesize
41B

MD5
574a5dc3cb296a1a8a2e31770c3ba0c6

SHA1
8adfdb782fdef7d4651830110253197edccb438b

SHA256
b659dc0b6db3c3df687ba471d22cc215965ed07fc880cf979fca5598bd67b7b7

SHA512
60564ce79d71104141c10298d20544a77a63cf7781643bd0b8943c61daafbfd844152b64831afec6d80b7c889afcadff803214c079159cc4461ba362b8804ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCE0D.tmp
Filesize
59B

MD5
a95db921a0fe57e6aefc41a5c0ffc732

SHA1
cd717fa5761f8d489d5578dd9f1b8e2b60ed7b72

SHA256
b03db7bd6621619695e753f43ae1928527e03361af8e4fabcc28592770ac934d

SHA512
004cb8bda6852b10060c9866b12fc0b9127624efde028558e6a4da4482c98fe9df1ff5715eb07053174edd731771cac1130c1325f4b1836678f6386c739bcabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCDAC.tmp
Filesize
18B

MD5
1a42166fa1e8a360271d4fb25c78fbda

SHA1
f4d1ad6ecdc1202a2c08c03514ec814072b818d2

SHA256
b271abd85535886a3753ee0a5e8957a1bf2e502c4a275d1d8f7f5ddf3b7de292

SHA512
ee3342a9a407bfe56e7c65c1f1c0b15624fbffc60c88ff9e404a1dbebcfd606f42de8cb61624f992f57fca2e05d75a64611a78e508c7772ffaeb9c5924c87c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCDAC.tmp
Filesize
41B

MD5
9b63af13344f6ef82f01f463737f3a43

SHA1
8d8b471641cae2462b39fa096c26475167bbf274

SHA256
8b0454c42dded71d9ee62354260d89e0565bb803a300bb2c49c9dd50fd2d1c4b

SHA512
708585072fc9f56b68a2737726b580347861fc188d60b19e59d9b6b4a9fcd25e39a972254146f97d4aee32fc9502546c5da2803b027222f70de6d223e93db674

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCDAC.tmp
Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCE6C.tmp
Filesize
29B

MD5
494d0d159b1e574f09fe79bda72f9c7c

SHA1
257a74558f794976d51b62a2af3b8e8e0bf8d999

SHA256
aafe3e506b4a9cdc77a876716f2ca016314e4529646d588cd6ee1b8573bbcd28

SHA512
93adc30e04f5d3f5f6e0372c77d20c148322717d53ca923145d2428ee960158eafed406e9af4996ce969c69b5b690c1758a3857891fb74e27c2f1685aa4ba0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D1AB02AE-DFD9-4DD0-8D99-A47C9F876FEB}
Filesize
128KB

MD5
a4af6cf73ce481f856dd66206580065a

SHA1
089af03e5e36a7c46c11dc4f4d77d9f763c7ee78

SHA256
0108cc7621af526414a730d1eb3e1544b0113a8dcdbc8465869580f96e7aebf1

SHA512
fb4293367eec8787a6c54a78afc97e23a1f2f80a29f1fdf408bcb511d524ece25eac9e5a5f3f81790295d932d29d11e3615bf70b8acbbe71c1c158cb419ec6ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FGURTBPF.txt
Filesize
69B

MD5
22130684af2b9e562c6dbf084a8b44f0

SHA1
c881ca07653196679b9c7813a0ae40dd83b057f9

SHA256
9b1ee197a55e833a001dc881c0215686b8491bfeb3e4e2033e3c83cb54f8681c

SHA512
aa151c218c22d9fbf7bbaa554ee018c519f1a053a764c1c9f883f30aae47e8ac9bd4dc43cdb8130a9958d4cbfb627c5537e4a96f0fcbc3dd23a92f5c9bca9933

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe
Filesize
498KB

MD5
b616cc8c02b88cff3a1d36ab29673399

SHA1
34689314dda15bd7e84fb84e4cf09749f548bdd3

SHA256
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56

SHA512
21ed90d8b55b780c6dfd95e5ff6aab8fcd4818a7d199160532f43630ce4d97ccfc54a5624665c7a811b4c2ee9dba16488343181ce972d1bac3ce5aa8428121a3

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCDDC.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/324-721-0x0000000000470000-0x00000000014D2000-memory.dmp

Filesize
16.4MB

Download
memory/324-722-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/1904-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1904-64-0x0000000002530000-0x0000000002532000-memory.dmp

Filesize
8KB

Download
memory/1904-1-0x00000000725ED000-0x00000000725F8000-memory.dmp

Filesize
44KB

Download
memory/1904-128-0x00000000725ED000-0x00000000725F8000-memory.dmp

Filesize
44KB

Download
memory/2432-61-0x00000000725ED000-0x00000000725F8000-memory.dmp

Filesize
44KB

Download
memory/2432-63-0x0000000003670000-0x0000000003672000-memory.dmp

Filesize
8KB

Download
memory/2432-129-0x00000000725ED000-0x00000000725F8000-memory.dmp

Filesize
44KB

Download
memory/2432-59-0x000000002F351000-0x000000002F352000-memory.dmp

Filesize
4KB

Download