agenttesla | 47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75

Analysis

max time kernel
138s
max time network
151s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pepsico RFQ_P1005712.xls
Size

111KB
MD5

9eba63f385b6efcc868f163cc53e5ef6
SHA1

8da5ad24a8a94e035b473f82e03a57740413998d
SHA256

47ee3997168e1d2f64c940453432642e7f7cea124561a40904d7d8d3b58d2b75
SHA512

6c47a8bdfbc30422ab8805fb98f454ee8b71f65057e334a0ee7723a90d2e864efa44b02e98a3984f315222065002d3cb8894b99734807f78045811597207f342
SSDEEP

1536:VU0BRPw/jF2gE+wxQAOhUMqTjfktX/t/qr2ml8Vvygn05kTheDm/:y0WF2F8ATjio2fVvr05ehe

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.synergyinnovationsgroup.com
Port:
587
Username:
[email protected]
Password:
C@p-Y8BoHc#?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

22 1612 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

2212 csrss.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEcsrss.execsrss.exe

pid process

1612 EQNEDT32.EXE
2212 csrss.exe
2212 csrss.exe
1076 csrss.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

csrss.exe

pid process

1076 csrss.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

csrss.execsrss.exe

pid process

2212 csrss.exe
1076 csrss.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

csrss.exe

description pid process target process

PID 2212 set thread context of 1076 2212 csrss.exe csrss.exe
Drops file in Windows directory 1 IoCs

Processes:

csrss.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi csrss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1612 EQNEDT32.EXE

flow	pid	process
22	1612	EQNEDT32.EXE

pid	process
2212	csrss.exe

pid	process
1612	EQNEDT32.EXE
2212	csrss.exe
2212	csrss.exe
1076	csrss.exe

pid	process
1076	csrss.exe

pid	process
2212	csrss.exe
1076	csrss.exe

description	pid	process	target process
PID 2212 set thread context of 1076	2212	csrss.exe	csrss.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	csrss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1612	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2180 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

csrss.exe

pid process

1076 csrss.exe
1076 csrss.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

csrss.exe

pid process

2212 csrss.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

csrss.exe

description pid process

Token: SeDebugPrivilege 1076 csrss.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2180 EXCEL.EXE
2180 EXCEL.EXE
2180 EXCEL.EXE
2888 WINWORD.EXE
2888 WINWORD.EXE
2180 EXCEL.EXE
2180 EXCEL.EXE
2180 EXCEL.EXE
2180 EXCEL.EXE

pid	process
2180	EXCEL.EXE

pid	process
1076	csrss.exe
1076	csrss.exe

pid	process
2212	csrss.exe

description	pid	process
Token: SeDebugPrivilege	1076	csrss.exe

pid	process
2180	EXCEL.EXE
2180	EXCEL.EXE
2180	EXCEL.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2180	EXCEL.EXE
2180	EXCEL.EXE
2180	EXCEL.EXE
2180	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEcsrss.exe

description	pid	process	target process
PID 1612 wrote to memory of 2212	1612	EQNEDT32.EXE	csrss.exe
PID 1612 wrote to memory of 2212	1612	EQNEDT32.EXE	csrss.exe
PID 1612 wrote to memory of 2212	1612	EQNEDT32.EXE	csrss.exe
PID 1612 wrote to memory of 2212	1612	EQNEDT32.EXE	csrss.exe
PID 2888 wrote to memory of 2008	2888	WINWORD.EXE	splwow64.exe
PID 2888 wrote to memory of 2008	2888	WINWORD.EXE	splwow64.exe
PID 2888 wrote to memory of 2008	2888	WINWORD.EXE	splwow64.exe
PID 2888 wrote to memory of 2008	2888	WINWORD.EXE	splwow64.exe
PID 2212 wrote to memory of 1076	2212	csrss.exe	csrss.exe
PID 2212 wrote to memory of 1076	2212	csrss.exe	csrss.exe
PID 2212 wrote to memory of 1076	2212	csrss.exe	csrss.exe
PID 2212 wrote to memory of 1076	2212	csrss.exe	csrss.exe
PID 2212 wrote to memory of 1076	2212	csrss.exe	csrss.exe
PID 2212 wrote to memory of 1076	2212	csrss.exe	csrss.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Pepsico RFQ_P1005712.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2008

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Roaming\csrss.exe
  "C:\Users\Admin\AppData\Roaming\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    "C:\Users\Admin\AppData\Roaming\csrss.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8A93F44C-1CD0-4145-80D2-1C17D892C650}.FSD

Filesize
128KB

MD5
edfd5ca02052251663be378629e7dfce

SHA1
3c300d2e1ae1ef04885813e9052d6557fdbf53a1

SHA256
097d1be5b07ed276fb20610a7f2793841912a5ac9556be77b8e565814e8322fa

SHA512
e9eb3354890bbd0e523e2e4cd82788673f1015fc78e0a43c498a244da203046ead34cde173084b8c879621e5e25cb47f8880ed624d8181c030900a247df6f1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
be846475cfcfe3ad11178a8481a2e595

SHA1
bc1ff8a55a33e0fd08a0e9eaa5a13c93fbe2dde0

SHA256
6c6ee42aba9e8bff9a25ebbfdffd7e8846f8b7bbd7bc6947cb65dfebd182af5c

SHA512
54153a2d084c6afea36d279d74ee3c22aa63a6508b93c4913c0d1f4c88beabdf6223385f796f31b1e4b7f1b48682875ab73dc53741f76b425e7aa2b84c68b381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7254DAF7-C6F0-4974-BFCA-C6F5DD838459}.FSD

Filesize
128KB

MD5
2c226affc159ab173b60d6834a786fd9

SHA1
435844ffd05214853a50d50899d0ebfcb902df68

SHA256
a8a6981a0efa606f78eedbb5414486ad0dd923aadd0192fe7ef041bde766b99a

SHA512
adede03f59b8741c2e463334752f88dfdf27a182102875bf0aceced8e909ed0b591833d1d905f48fe043947cced6ea5f2aa5015042d45bd5149164e897c619e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\lionisthetruekingsofthejunglewhichcomaprewithtigerbecauseoftheattitudelionalwaysliontounderstandthepoweroflion__kingofthejnglelion[1].doc

Filesize
34KB

MD5
0305665fe64e9a6f1ece3d43bc5d5112

SHA1
10460b71c923225d6c368a96a7c0b7058bd65b54

SHA256
dc579de78c6ed74c526d2f3eabc5d486dcf1a046159e5eda72b1f232e495b6f2

SHA512
f359b47159ecdbbbc83e76ed00295cdd279289db6333b83d03e2a111dfb26ce873d08938345fd91083df4661253a8da26972d8cb3bc9ce93ac7ff72611f07b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41E3.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4206.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB8E6.tmp

Filesize
18B

MD5
a24188ce6d4a713d3508b4c0ec4860ff

SHA1
1e4b331b57d9d633687b5ecdaf35b0ab55c72e44

SHA256
0910aef0152e26373651bd0550d8d61e3f1e72820e69c3fec56ae50cd225a493

SHA512
427e9635aed314bb5e5b90ba32c55d78922b3ba8276bc185889e3d3c635925c9148e1bf12d289b0a3c0fc8bbbe78b52f223d550d39b67682f2007b625db0331e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB8E6.tmp

Filesize
29B

MD5
f302a24fc452fd85d13ad30a272d6f35

SHA1
3b9153f575b70084ae04fd55d5c86169eaa60916

SHA256
2edbbfdef57bac60adc902d6bd15abb9c3e044c0f660c9a63135d37ac0f6c63a

SHA512
477c3efa5d2bf5ef6ac57a0dc190014f98ff0bd1181106edff7b0db01d58b7f0d8c6eb77266202249f035cc056a726bfd7abdc2e0d672aadc9a45ed29d4b1bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB8E6.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB936.tmp

Filesize
56B

MD5
53b8f59e083aa7c1b4fe5ed372e3e7e4

SHA1
98782aed5619d59ed36429277fe238727387955e

SHA256
bc97a078a44781b51dc6a3d5c38147c918c8311459c1c3d5d272002c513a68af

SHA512
5ef8041026150b346839577e782a4ace6b2c9b2e3e0cc2ddd9e29dc34dbf598902e1895adf6353aaed6f56743c8d421d1dc898d188dbbaaa5bcca224e7306bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB8B6.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB907.tmp

Filesize
1B

MD5
8ce4b16b22b58894aa86c421e8759df3

SHA1
13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

SHA256
8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

SHA512
2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB907.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB907.tmp

Filesize
21B

MD5
cbebbb257a8311891f9bfccf5355e077

SHA1
b92ad8024d7b255165e48c519e71ed780d928cda

SHA256
4b53da02410254217ce2ca226b04cac355f795702acacee4695092b5c58af01a

SHA512
9b775b4e202b152996e5b0cea8f2c410026d7a75a3d66168051bc86dde49ccd11f1d8e49ab87a2ce7608d32a832bb3ed2e56319cb27e6890355fc87cf910f295

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB907.tmp

Filesize
60B

MD5
7e828655d00269fe9d73e99520061456

SHA1
5341e579934758bc6e25ae7b8e4fb559d8fea2ff

SHA256
0d1a557b0e8d85d8d78e905004b1a7037fc12d6ffa801ec4a44262ac28e4bb3c

SHA512
c954c3ed0038f3888cdaf33232dad08370d5204e8054a381381959bcd1bd2125807ad3488ac94d4871db5310dc8f64b721307af1fb2711c22e4860e6d11e8081

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB9A5.tmp

Filesize
4B

MD5
ee11cbb19052e40b07aac0ca060c23ee

SHA1
12dea96fec20593566ab75692c9949596833adc9

SHA256
04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb

SHA512
b14361404c078ffd549c03db443c3fede2f3e534d73f78f77301ed97d4a436a9fd9db05ee8b325c0ad36438b43fec8510c204fc1c1edb21d0941c00e9e2c1ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB9A5.tmp

Filesize
25B

MD5
8862560e881d6575fee3adfb711d1c11

SHA1
b936ab218e307ea1dd7da7e3f3e0f727f15ee80d

SHA256
b06ac7eb718baa0f71c83a46cf55b5a1368d93fd3e2007fc6047b4854f3090fe

SHA512
4ddd950a2da0b1c9fecf29fa48d1ac1847f4461bca2fc58f38d2af44657f810e07a8383878dc06a803d5ac77450f5fc90865551f7aea85b48ca97eb0022228b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszB9A5.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D267542D-5C6E-4591-BF7F-A1E83E7227AD}

Filesize
128KB

MD5
aa258338db8bfc6c22d352e352d7841d

SHA1
f2d7e2d77fd12a95225a3b732135e721df68715b

SHA256
ceeb07fd733daad971f8def0ea2d47440d4bece7b6a209b71e9d3d4d9c309ddd

SHA512
5b65f02e6de9d0a8475b357c9d3839083bceb07a33beb0ba162ebb2b65916bdb0127c4690c15a0effc66c185903a3ea4f6cf72e7b7fb34859fbca5611d7a12a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1GINGV5T.txt

Filesize
70B

MD5
37e3998e60a134b658e4d126122dbe6f

SHA1
faa45f6be823799f235c6a52fe8102541ab9b68b

SHA256
2f983185f36cdb9d457f5e769798cb90c53b1862159936c6c77df68cae2dfef1

SHA512
23716daf5abe6a855e43efc757847ca8251438cc2fbed13f284f97fcce872d647f1cb520907aeaa4fd3658bd0c3e556edbda7d4483dfddafd1cb98879f0d13c1

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
498KB

MD5
b616cc8c02b88cff3a1d36ab29673399

SHA1
34689314dda15bd7e84fb84e4cf09749f548bdd3

SHA256
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56

SHA512
21ed90d8b55b780c6dfd95e5ff6aab8fcd4818a7d199160532f43630ce4d97ccfc54a5624665c7a811b4c2ee9dba16488343181ce972d1bac3ce5aa8428121a3

Download Submit
\Users\Admin\AppData\Local\Temp\nseB8D6.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/1076-717-0x0000000000470000-0x00000000014D2000-memory.dmp

Filesize
16.4MB

Download
memory/1076-718-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/2180-124-0x000000007263D000-0x0000000072648000-memory.dmp

Filesize
44KB

Download
memory/2180-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2180-60-0x0000000002370000-0x0000000002372000-memory.dmp

Filesize
8KB

Download
memory/2180-1-0x000000007263D000-0x0000000072648000-memory.dmp

Filesize
44KB

Download
memory/2888-125-0x000000007263D000-0x0000000072648000-memory.dmp

Filesize
44KB

Download
memory/2888-59-0x0000000004450000-0x0000000004452000-memory.dmp

Filesize
8KB

Download
memory/2888-57-0x000000007263D000-0x0000000072648000-memory.dmp

Filesize
44KB

Download
memory/2888-55-0x000000002FC21000-0x000000002FC22000-memory.dmp

Filesize
4KB

Download