Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 10:48
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Rtf.CVE2012-0158.25881.27659.rtf
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.Rtf.CVE2012-0158.25881.27659.rtf
Resource
win10v200430
General
-
Target
SecuriteInfo.com.Exploit.Rtf.CVE2012-0158.25881.27659.rtf
-
Size
10KB
-
MD5
07275cc7a9c2b70e1a9910e907f54302
-
SHA1
769ff32cbfc961da9e959dddfc6dfe6412ba5e7a
-
SHA256
b8e8a4193c949dd89b02edca84207c21ebfc23cb0d531efec38fa28e022938dc
-
SHA512
677dd16c4db9a5ded83778f6afeb7246f6945fca1ac3928032cc8abd4ba10b10ea2233658c158350decf47735cb68f0045f225a1a64ffc87d128cb0f0897fd3f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.transformadosmc.com - Port:
587 - Username:
info@transformadosmc.com - Password:
1Info2=2019b
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1876-9-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral1/memory/1876-10-0x0000000000340000-0x000000000038C000-memory.dmp family_agenttesla behavioral1/memory/1876-12-0x0000000000220000-0x0000000000266000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1032 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1840 vbc.exe 1876 vbc.exe -
Processes:
resource yara_rule behavioral1/memory/1876-5-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1876-8-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1876-9-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1032 EQNEDT32.EXE 1032 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1840 set thread context of 1876 1840 vbc.exe vbc.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 900 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exevbc.exepid process 1840 vbc.exe 1876 vbc.exe 1876 vbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vbc.exepid process 1840 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1876 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 900 WINWORD.EXE 900 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1032 wrote to memory of 1840 1032 EQNEDT32.EXE vbc.exe PID 1032 wrote to memory of 1840 1032 EQNEDT32.EXE vbc.exe PID 1032 wrote to memory of 1840 1032 EQNEDT32.EXE vbc.exe PID 1032 wrote to memory of 1840 1032 EQNEDT32.EXE vbc.exe PID 1840 wrote to memory of 1876 1840 vbc.exe vbc.exe PID 1840 wrote to memory of 1876 1840 vbc.exe vbc.exe PID 1840 wrote to memory of 1876 1840 vbc.exe vbc.exe PID 1840 wrote to memory of 1876 1840 vbc.exe vbc.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Rtf.CVE2012-0158.25881.27659.rtf"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vbc.exe"C:\Users\Admin\AppData\Roaming\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vbc.exe"C:\Users\Admin\AppData\Roaming\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\vbc.exeMD5
2ebdb2516a0759f925cda636b80b226c
SHA1e2ff31f7bb451ba47ae7ebbfe1d3f4c6f2718f11
SHA256fd55677058fd01894aead2f2389bdd8c72f56a2e15874f2ca93c59107513c084
SHA512e6ed54aafc4adb15e300c1a397d9e1ee1b2d7583d0a710add1736adea19838ec741fd83048391c4a45b8396354c3a79828f6d0ddca34b76c3a0bf4277e4bb014
-
C:\Users\Admin\AppData\Roaming\vbc.exeMD5
2ebdb2516a0759f925cda636b80b226c
SHA1e2ff31f7bb451ba47ae7ebbfe1d3f4c6f2718f11
SHA256fd55677058fd01894aead2f2389bdd8c72f56a2e15874f2ca93c59107513c084
SHA512e6ed54aafc4adb15e300c1a397d9e1ee1b2d7583d0a710add1736adea19838ec741fd83048391c4a45b8396354c3a79828f6d0ddca34b76c3a0bf4277e4bb014
-
C:\Users\Admin\AppData\Roaming\vbc.exeMD5
2ebdb2516a0759f925cda636b80b226c
SHA1e2ff31f7bb451ba47ae7ebbfe1d3f4c6f2718f11
SHA256fd55677058fd01894aead2f2389bdd8c72f56a2e15874f2ca93c59107513c084
SHA512e6ed54aafc4adb15e300c1a397d9e1ee1b2d7583d0a710add1736adea19838ec741fd83048391c4a45b8396354c3a79828f6d0ddca34b76c3a0bf4277e4bb014
-
\Users\Admin\AppData\Roaming\vbc.exeMD5
2ebdb2516a0759f925cda636b80b226c
SHA1e2ff31f7bb451ba47ae7ebbfe1d3f4c6f2718f11
SHA256fd55677058fd01894aead2f2389bdd8c72f56a2e15874f2ca93c59107513c084
SHA512e6ed54aafc4adb15e300c1a397d9e1ee1b2d7583d0a710add1736adea19838ec741fd83048391c4a45b8396354c3a79828f6d0ddca34b76c3a0bf4277e4bb014
-
\Users\Admin\AppData\Roaming\vbc.exeMD5
2ebdb2516a0759f925cda636b80b226c
SHA1e2ff31f7bb451ba47ae7ebbfe1d3f4c6f2718f11
SHA256fd55677058fd01894aead2f2389bdd8c72f56a2e15874f2ca93c59107513c084
SHA512e6ed54aafc4adb15e300c1a397d9e1ee1b2d7583d0a710add1736adea19838ec741fd83048391c4a45b8396354c3a79828f6d0ddca34b76c3a0bf4277e4bb014
-
memory/1840-2-0x0000000000000000-mapping.dmp
-
memory/1876-6-0x00000000004A2290-mapping.dmp
-
memory/1876-5-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1876-8-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1876-9-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1876-10-0x0000000000340000-0x000000000038C000-memory.dmpFilesize
304KB
-
memory/1876-11-0x00000000005A2000-0x00000000005A3000-memory.dmpFilesize
4KB
-
memory/1876-12-0x0000000000220000-0x0000000000266000-memory.dmpFilesize
280KB