agenttesla | 5efb21277d8165421f6864fbf18245b3d644f39b7b01acff2b000f0e1acc05e4

Resubmissions

27-05-2024 11:09

240527-m85kasac65 10

27-05-2024 11:01

240527-m4yaesab34 10

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AKOUR II - PARTICULARS .1.xlsx.scr
Size

643KB
MD5

36ad2c5dfb781a00c608398ac31b14fe
SHA1

ddbcc7d4febadba0e43223c843b14f643fb94acb
SHA256

97c58cd9c880ee1725933fc5af4c64c39ef44ca959199121691be3fd4af3fb2f
SHA512

b35cb319299e3e745e59ec7299921729f68e25fa81b37196824057caa0e030c114c3516092d0e30b5e09178d3fb14830361070a65ed30fa4e023f51a129b12db
SSDEEP

12288:luZrYCFd6xJZIpOnjq6nd26/vlRnlm92BB31b0v24MHn69bJE6fYm8rPasqrmz:Y81xrPjdw6/vjk8rFYv24oniG2YVtLz

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://beirutrest.com
Port:
21
Username:
[email protected]
Password:
9yXQ39wz(uL+

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 2804	2740	AKOUR II - PARTICULARS .1.xlsx.scr	30

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.bin	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\vstm_auto_file	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\vstm_auto_file\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\vstm_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\vstm_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\bin_auto_file\shell\open	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\bin_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\vstm_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1060	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
308	vlc.exe
2000	WINWORD.EXE
2624	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	AKOUR II - PARTICULARS .1.xlsx.scr
2804	AKOUR II - PARTICULARS .1.xlsx.scr

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
308	vlc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	AKOUR II - PARTICULARS .1.xlsx.scr

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe
308	vlc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
308	vlc.exe
2128	AcroRd32.exe
2128	AcroRd32.exe
2000	WINWORD.EXE
2000	WINWORD.EXE
2000	WINWORD.EXE
2624	WINWORD.EXE
2624	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2804	2740	AKOUR II - PARTICULARS .1.xlsx.scr	30
PID 2740 wrote to memory of 2804	2740	AKOUR II - PARTICULARS .1.xlsx.scr	30
PID 2740 wrote to memory of 2804	2740	AKOUR II - PARTICULARS .1.xlsx.scr	30
PID 2740 wrote to memory of 2804	2740	AKOUR II - PARTICULARS .1.xlsx.scr	30
PID 2740 wrote to memory of 2804	2740	AKOUR II - PARTICULARS .1.xlsx.scr	30
PID 2740 wrote to memory of 2804	2740	AKOUR II - PARTICULARS .1.xlsx.scr	30
PID 2740 wrote to memory of 2804	2740	AKOUR II - PARTICULARS .1.xlsx.scr	30
PID 2740 wrote to memory of 2804	2740	AKOUR II - PARTICULARS .1.xlsx.scr	30
PID 2740 wrote to memory of 2804	2740	AKOUR II - PARTICULARS .1.xlsx.scr	30
PID 2320 wrote to memory of 2128	2320	rundll32.exe	36
PID 2320 wrote to memory of 2128	2320	rundll32.exe	36
PID 2320 wrote to memory of 2128	2320	rundll32.exe	36
PID 2320 wrote to memory of 2128	2320	rundll32.exe	36
PID 2624 wrote to memory of 2784	2624	WINWORD.EXE	47
PID 2624 wrote to memory of 2784	2624	WINWORD.EXE	47
PID 2624 wrote to memory of 2784	2624	WINWORD.EXE	47
PID 2624 wrote to memory of 2784	2624	WINWORD.EXE	47
PID 600 wrote to memory of 1060	600	rundll32.exe	50
PID 600 wrote to memory of 1060	600	rundll32.exe	50
PID 600 wrote to memory of 1060	600	rundll32.exe	50

C:\Users\Admin\AppData\Local\Temp\AKOUR II - PARTICULARS .1.xlsx.scr
"C:\Users\Admin\AppData\Local\Temp\AKOUR II - PARTICULARS .1.xlsx.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\AKOUR II - PARTICULARS .1.xlsx.scr
  "C:\Users\Admin\AppData\Local\Temp\AKOUR II - PARTICULARS .1.xlsx.scr"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2200

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnlockFormat.ADT"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:308

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\StartUndo.vstm
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\StartUndo.vstm"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2128

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3016

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\PingComplete.odt"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Recently.docx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2784

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:392

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnblockMerge.bin
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnblockMerge.bin
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

Filesize
36KB

MD5
d987404a7987bef75166206843538086

SHA1
ff407b80ab96130b182d0b2fe9bff50ddc915353

SHA256
e29a9098c7cf0f49fcd5f0d0a1060f6b32a34e884faed3fa9b37c7740c1acb0f

SHA512
bde3e076bec65be8a21170683592e82afc72f717e8ba2dd6fc7b409a4180ace4f289c8b1845a0532662a3945e881a804f3d0fd616f87abc5fa301dc110e19f60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
57B

MD5
3e168c239fc8814db65684834c5aa4d4

SHA1
88cb9950c9f582210160b74174026147b7e8c528

SHA256
2ce59595de327e947f2c8197bd1584cd305b32a446b0f3b0ce8a3bc999626d27

SHA512
9ae1190545644234d86a56c4f0214566939e46f26203913aecd57e89f972b2bf08ccffe863e162199dbcf5f70f7840497549e9c74f2d66ac6a720f9bb3fee3e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
a0ec5c6ca3095d59cc1558ce075aa144

SHA1
edec6a88c34dcfc3cd71d5fe04379b453e39c8cb

SHA256
1fe19afe114a2d1a66930d43ea0f2d39fb8b34c11b212582a3616a4185963f07

SHA512
b8864642eea9ea5c96c8166b3562549a1a6579e0bcf78ce64159c449d6978d99f7f8dc82be882edea2d6278e820f750c4b8c310b6d782702c73f95a4b815e341

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
77B

MD5
a2106b392e0d76eee490990351426642

SHA1
7242639ba0cd2278b6cab9e9273cd74e995234e8

SHA256
7e7ec7f362c74bfa6a344f5a8196558c13297cd6ef9b8e6942913468fcaf590d

SHA512
009d7f7f9cf2083e411de03a5f4ee265d9aca228829bb8a9f02880d293f2f1737e3b34deeb76115b4e316fe6839e27b7f007aa3453a9d5a3e8e4eb035163263d

Download Submit
memory/308-64-0x000007FEF3CC0000-0x000007FEF3CE4000-memory.dmp

Filesize
144KB

Download
memory/308-47-0x000007FEF50B0000-0x000007FEF50C1000-memory.dmp

Filesize
68KB

Download
memory/308-80-0x000007FEF3E80000-0x000007FEF4F2B000-memory.dmp

Filesize
16.7MB

Download
memory/308-78-0x000007FEF6700000-0x000007FEF6734000-memory.dmp

Filesize
208KB

Download
memory/308-79-0x000007FEF5460000-0x000007FEF5714000-memory.dmp

Filesize
2.7MB

Download
memory/308-77-0x000000013F190000-0x000000013F288000-memory.dmp

Filesize
992KB

Download
memory/308-51-0x000007FEF5000000-0x000007FEF5011000-memory.dmp

Filesize
68KB

Download
memory/308-58-0x000007FEF3E80000-0x000007FEF4F2B000-memory.dmp

Filesize
16.7MB

Download
memory/308-60-0x000007FEF3DA0000-0x000007FEF3E0F000-memory.dmp

Filesize
444KB

Download
memory/308-63-0x000007FEF3CF0000-0x000007FEF3D18000-memory.dmp

Filesize
160KB

Download
memory/308-61-0x000007FEF3D80000-0x000007FEF3D91000-memory.dmp

Filesize
68KB

Download
memory/308-65-0x000007FEF3CA0000-0x000007FEF3CB7000-memory.dmp

Filesize
92KB

Download
memory/308-66-0x000007FEF3C70000-0x000007FEF3C93000-memory.dmp

Filesize
140KB

Download
memory/308-67-0x000007FEF3C50000-0x000007FEF3C61000-memory.dmp

Filesize
68KB

Download
memory/308-68-0x000007FEF3C30000-0x000007FEF3C42000-memory.dmp

Filesize
72KB

Download
memory/308-38-0x000007FEF6700000-0x000007FEF6734000-memory.dmp

Filesize
208KB

Download
memory/308-32-0x000000013F190000-0x000000013F288000-memory.dmp

Filesize
992KB

Download
memory/308-40-0x000007FEF6650000-0x000007FEF6668000-memory.dmp

Filesize
96KB

Download
memory/308-41-0x000007FEF6630000-0x000007FEF6647000-memory.dmp

Filesize
92KB

Download
memory/308-42-0x000007FEF60C0000-0x000007FEF60D1000-memory.dmp

Filesize
68KB

Download
memory/308-43-0x000007FEF5310000-0x000007FEF5327000-memory.dmp

Filesize
92KB

Download
memory/308-44-0x000007FEF52F0000-0x000007FEF5301000-memory.dmp

Filesize
68KB

Download
memory/308-45-0x000007FEF52D0000-0x000007FEF52ED000-memory.dmp

Filesize
116KB

Download
memory/308-39-0x000007FEF5460000-0x000007FEF5714000-memory.dmp

Filesize
2.7MB

Download
memory/308-46-0x000007FEF50D0000-0x000007FEF52D0000-memory.dmp

Filesize
2.0MB

Download
memory/308-55-0x000007FEF4F80000-0x000007FEF4F91000-memory.dmp

Filesize
68KB

Download
memory/308-50-0x000007FEF5020000-0x000007FEF5038000-memory.dmp

Filesize
96KB

Download
memory/308-49-0x000007FEF5040000-0x000007FEF5061000-memory.dmp

Filesize
132KB

Download
memory/308-48-0x000007FEF5070000-0x000007FEF50AF000-memory.dmp

Filesize
252KB

Download
memory/308-69-0x000007FEF15E0000-0x000007FEF15F7000-memory.dmp

Filesize
92KB

Download
memory/308-62-0x000007FEF3D20000-0x000007FEF3D76000-memory.dmp

Filesize
344KB

Download
memory/308-54-0x000007FEF4FA0000-0x000007FEF4FBB000-memory.dmp

Filesize
108KB

Download
memory/308-53-0x000007FEF4FC0000-0x000007FEF4FD1000-memory.dmp

Filesize
68KB

Download
memory/308-57-0x000007FEF4F30000-0x000007FEF4F60000-memory.dmp

Filesize
192KB

Download
memory/308-56-0x000007FEF4F60000-0x000007FEF4F78000-memory.dmp

Filesize
96KB

Download
memory/308-52-0x000007FEF4FE0000-0x000007FEF4FF1000-memory.dmp

Filesize
68KB

Download
memory/308-59-0x000007FEF3E10000-0x000007FEF3E77000-memory.dmp

Filesize
412KB

Download
memory/2000-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2000-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2624-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2740-1-0x0000000001100000-0x00000000011A6000-memory.dmp

Filesize
664KB

Download
memory/2740-5-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2740-2-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-0-0x000000007414E000-0x000000007414F000-memory.dmp

Filesize
4KB

Download
memory/2740-18-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-3-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/2740-4-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2740-6-0x0000000004C40000-0x0000000004CC2000-memory.dmp

Filesize
520KB

Download
memory/2804-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-26-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-20-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-19-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download