Analysis
-
max time kernel
107s -
max time network
109s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 17:08
Static task
static1
Behavioral task
behavioral1
Sample
Order 21-21.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Order 21-21.doc
Resource
win10v20201028
General
-
Target
Order 21-21.doc
-
Size
1.8MB
-
MD5
7c2eddeb04db10bd3f18c209e44f8ee5
-
SHA1
9ea7737b937666839fc2697fd105036ad22b6db9
-
SHA256
6b4736cadf2ab0f4477b857257ec184758cd846ebae168b2ccc4af62e6871835
-
SHA512
3e378ea1f6c5d6c2dec9c01d9aca73ab0bde58c1b79b709186dbec7a204c918092c5c57d469639abfe4b3154e2dd73cc425aaf172e9e02661bc96c73980c6f78
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sardaplywood.com - Port:
587 - Username:
superstars@sardaplywood.com - Password:
sup123st45
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/536-16-0x0000000004BF0000-0x0000000004C4C000-memory.dmp family_agenttesla behavioral1/memory/1380-20-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1380-21-0x000000000043769E-mapping.dmp family_agenttesla behavioral1/memory/1660-33-0x000000000043769E-mapping.dmp family_agenttesla behavioral1/memory/1380-28-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1780 EQNEDT32.EXE -
Executes dropped EXE 6 IoCs
Processes:
kdoto8943.scrkdoto8943.scrkdoto8943.scrkdoto8943.scrkdoto8943.scrkdoto8943.scrpid process 536 kdoto8943.scr 1204 kdoto8943.scr 1380 kdoto8943.scr 472 kdoto8943.scr 300 kdoto8943.scr 1660 kdoto8943.scr -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1780 EQNEDT32.EXE 1780 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org -
Suspicious use of SetThreadContext 5 IoCs
Processes:
kdoto8943.scrdescription pid process target process PID 536 set thread context of 1204 536 kdoto8943.scr kdoto8943.scr PID 536 set thread context of 1380 536 kdoto8943.scr kdoto8943.scr PID 536 set thread context of 472 536 kdoto8943.scr kdoto8943.scr PID 536 set thread context of 300 536 kdoto8943.scr kdoto8943.scr PID 536 set thread context of 1660 536 kdoto8943.scr kdoto8943.scr -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1740 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
kdoto8943.scrkdoto8943.scrpid process 536 kdoto8943.scr 536 kdoto8943.scr 1660 kdoto8943.scr 1660 kdoto8943.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kdoto8943.scrkdoto8943.scrdescription pid process Token: SeDebugPrivilege 536 kdoto8943.scr Token: SeDebugPrivilege 1660 kdoto8943.scr -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEkdoto8943.scrpid process 1740 WINWORD.EXE 1740 WINWORD.EXE 1660 kdoto8943.scr -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
EQNEDT32.EXEkdoto8943.scrdescription pid process target process PID 1780 wrote to memory of 536 1780 EQNEDT32.EXE kdoto8943.scr PID 1780 wrote to memory of 536 1780 EQNEDT32.EXE kdoto8943.scr PID 1780 wrote to memory of 536 1780 EQNEDT32.EXE kdoto8943.scr PID 1780 wrote to memory of 536 1780 EQNEDT32.EXE kdoto8943.scr PID 536 wrote to memory of 1204 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1204 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1204 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1204 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1204 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1380 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1380 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1380 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1380 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1380 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1380 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1380 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1380 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1380 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 472 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 472 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 472 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 472 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 472 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 300 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 300 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 300 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 300 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 300 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1660 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1660 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1660 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1660 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1660 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1660 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1660 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1660 536 kdoto8943.scr kdoto8943.scr PID 536 wrote to memory of 1660 536 kdoto8943.scr kdoto8943.scr
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order 21-21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scr"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scr"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scr"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scr"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scr"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scr"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scrMD5
b95249a3ceacb06a049d3f211479fc7e
SHA15de29c60c381140276e5e96b473018a73bdd53eb
SHA256bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
SHA5123591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scrMD5
b95249a3ceacb06a049d3f211479fc7e
SHA15de29c60c381140276e5e96b473018a73bdd53eb
SHA256bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
SHA5123591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scrMD5
b95249a3ceacb06a049d3f211479fc7e
SHA15de29c60c381140276e5e96b473018a73bdd53eb
SHA256bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
SHA5123591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scrMD5
b95249a3ceacb06a049d3f211479fc7e
SHA15de29c60c381140276e5e96b473018a73bdd53eb
SHA256bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
SHA5123591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scrMD5
b95249a3ceacb06a049d3f211479fc7e
SHA15de29c60c381140276e5e96b473018a73bdd53eb
SHA256bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
SHA5123591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scrMD5
b95249a3ceacb06a049d3f211479fc7e
SHA15de29c60c381140276e5e96b473018a73bdd53eb
SHA256bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
SHA5123591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47
-
C:\Users\Admin\AppData\Roaming\kdoto8943.scrMD5
b95249a3ceacb06a049d3f211479fc7e
SHA15de29c60c381140276e5e96b473018a73bdd53eb
SHA256bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
SHA5123591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47
-
\Users\Admin\AppData\Roaming\kdoto8943.scrMD5
b95249a3ceacb06a049d3f211479fc7e
SHA15de29c60c381140276e5e96b473018a73bdd53eb
SHA256bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
SHA5123591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47
-
\Users\Admin\AppData\Roaming\kdoto8943.scrMD5
b95249a3ceacb06a049d3f211479fc7e
SHA15de29c60c381140276e5e96b473018a73bdd53eb
SHA256bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
SHA5123591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47
-
memory/300-29-0x000000000043769E-mapping.dmp
-
memory/472-25-0x000000000043769E-mapping.dmp
-
memory/536-15-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/536-13-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/536-16-0x0000000004BF0000-0x0000000004C4C000-memory.dmpFilesize
368KB
-
memory/536-12-0x000000006B500000-0x000000006BBEE000-memory.dmpFilesize
6.9MB
-
memory/536-9-0x0000000000000000-mapping.dmp
-
memory/536-36-0x0000000001DA0000-0x0000000001DA1000-memory.dmpFilesize
4KB
-
memory/1088-6-0x000007FEF7730000-0x000007FEF79AA000-memory.dmpFilesize
2.5MB
-
memory/1204-18-0x000000000043769E-mapping.dmp
-
memory/1380-21-0x000000000043769E-mapping.dmp
-
memory/1380-23-0x000000006B500000-0x000000006BBEE000-memory.dmpFilesize
6.9MB
-
memory/1380-20-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1380-28-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1380-39-0x0000000004590000-0x0000000004591000-memory.dmpFilesize
4KB
-
memory/1660-33-0x000000000043769E-mapping.dmp
-
memory/1660-35-0x000000006B500000-0x000000006BBEE000-memory.dmpFilesize
6.9MB
-
memory/1660-40-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/1660-41-0x00000000049D1000-0x00000000049D2000-memory.dmpFilesize
4KB
-
memory/1740-2-0x00000000728E1000-0x00000000728E4000-memory.dmpFilesize
12KB
-
memory/1740-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1740-3-0x0000000070361000-0x0000000070363000-memory.dmpFilesize
8KB
-
memory/1780-5-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB