agenttesla | 47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pepsico LLC Company Profile.xls
Size

111KB
MD5

9eba63f385b6efcc868f163cc53e5ef6
SHA1

8da5ad24a8a94e035b473f82e03a57740413998d
SHA256

47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75
SHA512

6c47a8bdfbc30422ab8805fb98f454ee8b71f65057e334a0ee7723a90d2e864efa44b02e98a3984f315222065002d3cb8894b99734807f78045811597207f342
SSDEEP

1536:VU0BRPw/jF2gE+wxQAOhUMqTjfktX/t/qr2ml8Vvygn05kTheDm/:y0WF2F8ATjio2fVvr05ehe

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.synergyinnovationsgroup.com
Port:
587
Username:
[email protected]
Password:
C@p-Y8BoHc#?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

22 1992 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

2832 csrss.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEcsrss.execsrss.exe

pid process

1992 EQNEDT32.EXE
2832 csrss.exe
2832 csrss.exe
2228 csrss.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

csrss.exe

pid process

2228 csrss.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

csrss.execsrss.exe

pid process

2832 csrss.exe
2228 csrss.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

csrss.exe

description pid process target process

PID 2832 set thread context of 2228 2832 csrss.exe csrss.exe
Drops file in Windows directory 1 IoCs

Processes:

csrss.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi csrss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1992 EQNEDT32.EXE

flow	pid	process
22	1992	EQNEDT32.EXE

pid	process
2832	csrss.exe

pid	process
1992	EQNEDT32.EXE
2832	csrss.exe
2832	csrss.exe
2228	csrss.exe

pid	process
2228	csrss.exe

pid	process
2832	csrss.exe
2228	csrss.exe

description	pid	process	target process
PID 2832 set thread context of 2228	2832	csrss.exe	csrss.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	csrss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1992	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2276 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

csrss.exe

pid process

2228 csrss.exe
2228 csrss.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

csrss.exe

pid process

2832 csrss.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

csrss.exe

description pid process

Token: SeDebugPrivilege 2228 csrss.exe
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2276 EXCEL.EXE
2276 EXCEL.EXE
2276 EXCEL.EXE
1516 WINWORD.EXE
1516 WINWORD.EXE
2276 EXCEL.EXE
2276 EXCEL.EXE
2276 EXCEL.EXE
2276 EXCEL.EXE
2276 EXCEL.EXE

pid	process
2276	EXCEL.EXE

pid	process
2228	csrss.exe
2228	csrss.exe

pid	process
2832	csrss.exe

description	pid	process
Token: SeDebugPrivilege	2228	csrss.exe

pid	process
2276	EXCEL.EXE
2276	EXCEL.EXE
2276	EXCEL.EXE
1516	WINWORD.EXE
1516	WINWORD.EXE
2276	EXCEL.EXE
2276	EXCEL.EXE
2276	EXCEL.EXE
2276	EXCEL.EXE
2276	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXEcsrss.exe

description	pid	process	target process
PID 1516 wrote to memory of 1216	1516	WINWORD.EXE	splwow64.exe
PID 1516 wrote to memory of 1216	1516	WINWORD.EXE	splwow64.exe
PID 1516 wrote to memory of 1216	1516	WINWORD.EXE	splwow64.exe
PID 1516 wrote to memory of 1216	1516	WINWORD.EXE	splwow64.exe
PID 1992 wrote to memory of 2832	1992	EQNEDT32.EXE	csrss.exe
PID 1992 wrote to memory of 2832	1992	EQNEDT32.EXE	csrss.exe
PID 1992 wrote to memory of 2832	1992	EQNEDT32.EXE	csrss.exe
PID 1992 wrote to memory of 2832	1992	EQNEDT32.EXE	csrss.exe
PID 2832 wrote to memory of 2228	2832	csrss.exe	csrss.exe
PID 2832 wrote to memory of 2228	2832	csrss.exe	csrss.exe
PID 2832 wrote to memory of 2228	2832	csrss.exe	csrss.exe
PID 2832 wrote to memory of 2228	2832	csrss.exe	csrss.exe
PID 2832 wrote to memory of 2228	2832	csrss.exe	csrss.exe
PID 2832 wrote to memory of 2228	2832	csrss.exe	csrss.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Pepsico LLC Company Profile.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2276

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1216

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Roaming\csrss.exe
"C:\Users\Admin\AppData\Roaming\csrss.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Roaming\csrss.exe
"C:\Users\Admin\AppData\Roaming\csrss.exe"
3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BA8ACFAB-633C-4752-A3CC-420854B5C405}.FSD
Filesize
128KB

MD5
4341984c7e1d884ea208fc3723988cf8

SHA1
ab13a141f1b87440e08c349e2774d8d4e9f2a105

SHA256
a484408e65078de6deb76166025dafeb4054c925bf6ea7a61ea4d688be005d78

SHA512
ee564273efd90a345d3aaeae408606fecc5d09f38ba5f2a7404c93f30ded4b0eb8bc0b40efb5e22b168f8b369ebfbbc3f6cc2047c8792b12dddf7f5fd745eed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
1f9790f1d33b99bac176681893b3f6bb

SHA1
2f9d22f80791308337dd82bd37ad0f6cd0d6ac2e

SHA256
61f43dfb993f6fd9bcfe08f68f9b7674d57cce3ec5b7cc8d32a6b404754123b0

SHA512
e96e8a18f5673d718cdeeec40823dfdbf914efae60613283c2444522412bfc0696924f81e0aa31516458f127fa2c66cfdf7d0312aa568ed105a88130b66f21a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{ED8EE4A2-567B-4A5A-B6BF-328A876A1736}.FSD
Filesize
128KB

MD5
7d6cb831f77a0e84780d6da5d618c7ce

SHA1
2bb116dfc63954d738f9b962a6829c19fd4d13e4

SHA256
69103b13952d21b8bd0e0b2e161807b5cb26ffee3dc6f99d8e61fec6039eac6d

SHA512
0f3b2632fb173bae1943b1392ff287036e0473130f19362aae3123322e8e2a124aa682e5413b75df9bd72212475d849eee16c2f646ff8a5e09c0e3a701a25821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\lionisthetruekingsofthejunglewhichcomaprewithtigerbecauseoftheattitudelionalwaysliontounderstandthepoweroflion__kingofthejnglelion[1].doc
Filesize
34KB

MD5
0305665fe64e9a6f1ece3d43bc5d5112

SHA1
10460b71c923225d6c368a96a7c0b7058bd65b54

SHA256
dc579de78c6ed74c526d2f3eabc5d486dcf1a046159e5eda72b1f232e495b6f2

SHA512
f359b47159ecdbbbc83e76ed00295cdd279289db6333b83d03e2a111dfb26ce873d08938345fd91083df4661253a8da26972d8cb3bc9ce93ac7ff72611f07b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2776.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC382.tmp
Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC382.tmp
Filesize
19B

MD5
adfb82dfa0a66bd7e108a83873cbd4cf

SHA1
caaf90327bb1e7b6731e154351f351bf3a3bb1c4

SHA256
2ba412a038068300e9e4a538ed1d2cfcefa9a1b91f44408785d90a5d838a9228

SHA512
103f484f3497eaf8cc231f09a5c565ba524d5af523970272d9a853ede106fc176f524bb6aeb8f7f59992e7a5651abb55b80134d539bb050aaf780624422d982b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC382.tmp
Filesize
31B

MD5
4a0b2abb11e0875e051f4fb404869340

SHA1
a58e784d4e4ebd72613c76ac76664db05a2fb675

SHA256
31a3b7fb8fd5c57f5b01b651aaa4ce5e7140555cf92357a3735e43fb4ad9c273

SHA512
e7cac8f4b2093857ef81216e25b633170d5bbe5a3cecd07a01009ccafa97ae3896cd86f74dcc24b19116075a7d33feb3622457b19d762a0da5c744552f1e35d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC382.tmp
Filesize
36B

MD5
6773e7eaf1002d0b0dbc22d4309fed5c

SHA1
e8a2bffa8c16996414afaa6bdc40b3fd8007afc1

SHA256
e5151e9c009c72349ab7fba9b0c5503407456931bd9f4678a00f390f27ae255a

SHA512
aa716a5c9e347249b2a89b9c980f1ee0231ac2421f1f0100312539c4d476e5d394c874fdfa973b7acfb99c6ac018d199f18ecf73c822fcd169300861438647be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC382.tmp
Filesize
60B

MD5
7e828655d00269fe9d73e99520061456

SHA1
5341e579934758bc6e25ae7b8e4fb559d8fea2ff

SHA256
0d1a557b0e8d85d8d78e905004b1a7037fc12d6ffa801ec4a44262ac28e4bb3c

SHA512
c954c3ed0038f3888cdaf33232dad08370d5204e8054a381381959bcd1bd2125807ad3488ac94d4871db5310dc8f64b721307af1fb2711c22e4860e6d11e8081

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3D2.tmp
Filesize
29B

MD5
494d0d159b1e574f09fe79bda72f9c7c

SHA1
257a74558f794976d51b62a2af3b8e8e0bf8d999

SHA256
aafe3e506b4a9cdc77a876716f2ca016314e4529646d588cd6ee1b8573bbcd28

SHA512
93adc30e04f5d3f5f6e0372c77d20c148322717d53ca923145d2428ee960158eafed406e9af4996ce969c69b5b690c1758a3857891fb74e27c2f1685aa4ba0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC352.tmp
Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC352.tmp
Filesize
15B

MD5
aec87a5b696e973fd725cfd7fccef0bb

SHA1
4c0cd9bd8adbc7ad00627bc192c73d3aa23f0f02

SHA256
a48c987be1252d84c855810b44ad498f5ab67b9b8bfea471b0e1ec5a7f480fc9

SHA512
8cf3daf380683412911f7d0719c48a9ffa313d09016f6c811f41a16416ad0c3abba2cd34a57ca912ca1853b12665824732a480ec15f127a33aa1476d7479d499

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC352.tmp
Filesize
29B

MD5
f302a24fc452fd85d13ad30a272d6f35

SHA1
3b9153f575b70084ae04fd55d5c86169eaa60916

SHA256
2edbbfdef57bac60adc902d6bd15abb9c3e044c0f660c9a63135d37ac0f6c63a

SHA512
477c3efa5d2bf5ef6ac57a0dc190014f98ff0bd1181106edff7b0db01d58b7f0d8c6eb77266202249f035cc056a726bfd7abdc2e0d672aadc9a45ed29d4b1bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC352.tmp
Filesize
33B

MD5
d0c16d35895f4a76cb4fa85fc11c6842

SHA1
61d36c5b3fd3f0772608359b7ed9890b0474aee0

SHA256
d6063a46a92e1a2600bb31588a58cf906711aaaa1813e593c191da5881b46a59

SHA512
3595c1578f0c1a2d47d75f2c5260bd7b85551501c94a0abf609752e04e2e9f1f9d7a19f654d803a0c65d40d4b74dfb32d31bd88a9b8813e7466b914d2b800951

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC352.tmp
Filesize
43B

MD5
861b54f1598ea66927bfe815c60b07bf

SHA1
05ed884e4bbf1b3f5564849ea66130977618f482

SHA256
5c9b9d544efddd32a858390c7f0f7123f4b06e201de44f6e59397d49bac23f42

SHA512
ff5b0a987698f4510e63d63ab6ee8738deda76b8b858d989b951918ee388f63519528afd76e521c16b0e8559939c184e05cb1be33fb4af49e026cb27c57fdd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC3A2.tmp
Filesize
42B

MD5
2bb74a5f4e171b1633de6d63f27a6adb

SHA1
c20fbbc373b3e87babeb01931cceef80cf97d1f1

SHA256
acb5acad2ac99b323b528e18a6e2f9a1cb2a6b4b306224062c4846e7ffce9bb6

SHA512
577205cf4269050d65ff6a8e8ddb312db5beb6041dc901e33f45b60f275d28a6b60b845d4fea6097fe389fe0f0f5538edb6ee5145a3391031e7e22ce38dc5692

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC3A2.tmp
Filesize
56B

MD5
53b8f59e083aa7c1b4fe5ed372e3e7e4

SHA1
98782aed5619d59ed36429277fe238727387955e

SHA256
bc97a078a44781b51dc6a3d5c38147c918c8311459c1c3d5d272002c513a68af

SHA512
5ef8041026150b346839577e782a4ace6b2c9b2e3e0cc2ddd9e29dc34dbf598902e1895adf6353aaed6f56743c8d421d1dc898d188dbbaaa5bcca224e7306bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC321.tmp
Filesize
22B

MD5
7b381311a78901489326c8a317ddf8cd

SHA1
37d010f4fb37e77310effc7625dadbbbb36e8fe4

SHA256
59813bc6f04b4d5a16bd89d01602f4308759a60a579022a6bd209c1c0e8b463b

SHA512
626e1a6b65a7909b365f1b8623d9589889ac92f118f9c56d379af6e66e689075a70a82f76a790512203840506d8400c17f8afbd8a60540c14042c35e622a76e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC321.tmp
Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4A52CAD4-B2DC-4E3B-8C21-2A4E5E3EA23F}
Filesize
128KB

MD5
b5ae0a8b93f77a574ecf55e0f04e043d

SHA1
46b338ec35576aeab41ec04b14748e5dd891ea7d

SHA256
f9df62e5ab9efc39fbd9b34841ca16b491c44c835c93689697282ad39987073d

SHA512
65653becb69676563c2d849e3202c5e8233173719e55cf7f71ec29bf72242c6c3f231020ecac458a93168d0889db90af50af2c84b281cebf21db332ed67d21ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\61IC6WRF.txt
Filesize
70B

MD5
5503fc5d57aaf24b75ccfc1cdf323f10

SHA1
31809936bab8c6dc2449b2ccf34332d9cc9dc953

SHA256
91ba4f71247eb7072b91c7c763825229b6da62e60244d1a99bd60039d500d50e

SHA512
1384d5e74dee0a92b1d33a23293c58eafedc867e2a0010a5aecd82e94d75373de63b1100bc13f41f3fe1fb9aece3111a440aeeba9c6c04fc694276e4464db73f

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe
Filesize
498KB

MD5
b616cc8c02b88cff3a1d36ab29673399

SHA1
34689314dda15bd7e84fb84e4cf09749f548bdd3

SHA256
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56

SHA512
21ed90d8b55b780c6dfd95e5ff6aab8fcd4818a7d199160532f43630ce4d97ccfc54a5624665c7a811b4c2ee9dba16488343181ce972d1bac3ce5aa8428121a3

Download Submit
\Users\Admin\AppData\Local\Temp\nstC341.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/1516-129-0x000000007230D000-0x0000000072318000-memory.dmp

Filesize
44KB

Download
memory/1516-63-0x0000000003BB0000-0x0000000003BB2000-memory.dmp

Filesize
8KB

Download
memory/1516-61-0x000000007230D000-0x0000000072318000-memory.dmp

Filesize
44KB

Download
memory/1516-59-0x000000002F951000-0x000000002F952000-memory.dmp

Filesize
4KB

Download
memory/2228-721-0x0000000000470000-0x00000000014D2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-722-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/2276-128-0x000000007230D000-0x0000000072318000-memory.dmp

Filesize
44KB

Download
memory/2276-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2276-64-0x0000000002D50000-0x0000000002D52000-memory.dmp

Filesize
8KB

Download
memory/2276-1-0x000000007230D000-0x0000000072318000-memory.dmp

Filesize
44KB

Download