Analysis
-
max time kernel
115s -
max time network
113s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-01-2021 06:37
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Documents.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Shipping Documents.doc
Resource
win10v20201028
General
-
Target
Shipping Documents.doc
-
Size
310KB
-
MD5
7a3e5b886547c1dc69707e8ebc49164c
-
SHA1
5d986639838db803ecc37c9d0b98916063dde4be
-
SHA256
7e5d0929a23d923994c3b544b5e9b75c08b6871f070f67c0da719f8b4d4f1e9b
-
SHA512
5f5bf087361579085d7a2f3dbf3ce0c2f6ad3a8879820d933e1bf89494957596f33177443bea29585c57c64906fb430038d2ffbd9ac1c233b0d8f1ce0283e8bd
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sardaplywood.com - Port:
587 - Username:
[email protected] - Password:
sup123st45
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1636-17-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1636-18-0x000000000043769E-mapping.dmp family_agenttesla behavioral1/memory/1636-21-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 2032 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
kdot862684.scrkdot862684.scrpid process 548 kdot862684.scr 1636 kdot862684.scr -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 2032 EQNEDT32.EXE 2032 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org 9 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kdot862684.scrdescription pid process target process PID 548 set thread context of 1636 548 kdot862684.scr kdot862684.scr -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1648 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
kdot862684.scrpid process 1636 kdot862684.scr 1636 kdot862684.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kdot862684.scrkdot862684.scrdescription pid process Token: SeDebugPrivilege 548 kdot862684.scr Token: SeDebugPrivilege 1636 kdot862684.scr -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEkdot862684.scrpid process 1648 WINWORD.EXE 1648 WINWORD.EXE 1636 kdot862684.scr -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
EQNEDT32.EXEkdot862684.scrdescription pid process target process PID 2032 wrote to memory of 548 2032 EQNEDT32.EXE kdot862684.scr PID 2032 wrote to memory of 548 2032 EQNEDT32.EXE kdot862684.scr PID 2032 wrote to memory of 548 2032 EQNEDT32.EXE kdot862684.scr PID 2032 wrote to memory of 548 2032 EQNEDT32.EXE kdot862684.scr PID 548 wrote to memory of 1636 548 kdot862684.scr kdot862684.scr PID 548 wrote to memory of 1636 548 kdot862684.scr kdot862684.scr PID 548 wrote to memory of 1636 548 kdot862684.scr kdot862684.scr PID 548 wrote to memory of 1636 548 kdot862684.scr kdot862684.scr PID 548 wrote to memory of 1636 548 kdot862684.scr kdot862684.scr PID 548 wrote to memory of 1636 548 kdot862684.scr kdot862684.scr PID 548 wrote to memory of 1636 548 kdot862684.scr kdot862684.scr PID 548 wrote to memory of 1636 548 kdot862684.scr kdot862684.scr PID 548 wrote to memory of 1636 548 kdot862684.scr kdot862684.scr
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1648
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\kdot862684.scr"C:\Users\Admin\AppData\Roaming\kdot862684.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Roaming\kdot862684.scr"C:\Users\Admin\AppData\Roaming\kdot862684.scr"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\kdot862684.scrMD5
eced82df76526559ab854833f213a8c5
SHA13b951e79e92142655bde4b98d5e8e5b0b5ccf2a6
SHA25654086875834b1244c63b639f4c7225d611a5f48bd564fdb50ea3e5eb5dde2041
SHA5120a1ca95673b55ca3d3f7fe492b5bc06c78498a735bfe764485d170a93068615cae203d51dd6a9ffeb4e972a0788a3e28e4d03125682255452da87793faa6a923
-
C:\Users\Admin\AppData\Roaming\kdot862684.scrMD5
eced82df76526559ab854833f213a8c5
SHA13b951e79e92142655bde4b98d5e8e5b0b5ccf2a6
SHA25654086875834b1244c63b639f4c7225d611a5f48bd564fdb50ea3e5eb5dde2041
SHA5120a1ca95673b55ca3d3f7fe492b5bc06c78498a735bfe764485d170a93068615cae203d51dd6a9ffeb4e972a0788a3e28e4d03125682255452da87793faa6a923
-
C:\Users\Admin\AppData\Roaming\kdot862684.scrMD5
eced82df76526559ab854833f213a8c5
SHA13b951e79e92142655bde4b98d5e8e5b0b5ccf2a6
SHA25654086875834b1244c63b639f4c7225d611a5f48bd564fdb50ea3e5eb5dde2041
SHA5120a1ca95673b55ca3d3f7fe492b5bc06c78498a735bfe764485d170a93068615cae203d51dd6a9ffeb4e972a0788a3e28e4d03125682255452da87793faa6a923
-
\Users\Admin\AppData\Roaming\kdot862684.scrMD5
eced82df76526559ab854833f213a8c5
SHA13b951e79e92142655bde4b98d5e8e5b0b5ccf2a6
SHA25654086875834b1244c63b639f4c7225d611a5f48bd564fdb50ea3e5eb5dde2041
SHA5120a1ca95673b55ca3d3f7fe492b5bc06c78498a735bfe764485d170a93068615cae203d51dd6a9ffeb4e972a0788a3e28e4d03125682255452da87793faa6a923
-
\Users\Admin\AppData\Roaming\kdot862684.scrMD5
eced82df76526559ab854833f213a8c5
SHA13b951e79e92142655bde4b98d5e8e5b0b5ccf2a6
SHA25654086875834b1244c63b639f4c7225d611a5f48bd564fdb50ea3e5eb5dde2041
SHA5120a1ca95673b55ca3d3f7fe492b5bc06c78498a735bfe764485d170a93068615cae203d51dd6a9ffeb4e972a0788a3e28e4d03125682255452da87793faa6a923
-
memory/548-12-0x000000006AE70000-0x000000006B55E000-memory.dmpFilesize
6.9MB
-
memory/548-13-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/548-9-0x0000000000000000-mapping.dmp
-
memory/548-16-0x00000000006E0000-0x000000000071F000-memory.dmpFilesize
252KB
-
memory/548-15-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/1636-18-0x000000000043769E-mapping.dmp
-
memory/1636-17-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1636-20-0x000000006AE70000-0x000000006B55E000-memory.dmpFilesize
6.9MB
-
memory/1636-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1636-23-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/1636-24-0x0000000004A31000-0x0000000004A32000-memory.dmpFilesize
4KB
-
memory/1648-2-0x0000000072301000-0x0000000072304000-memory.dmpFilesize
12KB
-
memory/1648-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1648-3-0x000000006FD81000-0x000000006FD83000-memory.dmpFilesize
8KB
-
memory/1800-6-0x000007FEF7080000-0x000007FEF72FA000-memory.dmpFilesize
2.5MB
-
memory/2032-5-0x0000000074B31000-0x0000000074B33000-memory.dmpFilesize
8KB