Analysis
-
max time kernel
137s -
max time network
41s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-01-2021 18:01
Static task
static1
Behavioral task
behavioral1
Sample
P-list - PO SO-203 1st Container.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
P-list - PO SO-203 1st Container.doc
Resource
win10v20201028
General
-
Target
P-list - PO SO-203 1st Container.doc
-
Size
309KB
-
MD5
7c072f448b120f1535e8a5a893cd3fd9
-
SHA1
ce9ff47e8638d97b1aff8813ef5e98e2fcf3c8e0
-
SHA256
6736025e2259223612a583d30d083c61c9acb1d16ca02c9c75d67e3a8c5f2727
-
SHA512
42fb14a7b598bae4572d28a65e22500b7e66f1e4b5e9e727bb1f229e3e923438c0250ea9087dc270fea692ea759f7345cd0ce4626c67852701b67dc220441c22
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.ionos.it - Port:
587 - Username:
[email protected] - Password:
Blessings_2021
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1592-17-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1592-18-0x00000000004375FE-mapping.dmp family_agenttesla behavioral1/memory/1592-21-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1964 EQNEDT32.EXE -
Executes dropped EXE 4 IoCs
Processes:
endkeyxz24318.screndkeyxz24318.screndkeyxz24318.screndkeyxz24318.scrpid process 1496 endkeyxz24318.scr 1912 endkeyxz24318.scr 884 endkeyxz24318.scr 1592 endkeyxz24318.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1964 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
endkeyxz24318.scrdescription pid process target process PID 1496 set thread context of 1592 1496 endkeyxz24318.scr endkeyxz24318.scr -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1832 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
endkeyxz24318.screndkeyxz24318.scrpid process 1496 endkeyxz24318.scr 1496 endkeyxz24318.scr 1496 endkeyxz24318.scr 1496 endkeyxz24318.scr 1592 endkeyxz24318.scr 1592 endkeyxz24318.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
endkeyxz24318.screndkeyxz24318.scrdescription pid process Token: SeDebugPrivilege 1496 endkeyxz24318.scr Token: SeDebugPrivilege 1592 endkeyxz24318.scr -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEendkeyxz24318.scrpid process 1832 WINWORD.EXE 1832 WINWORD.EXE 1592 endkeyxz24318.scr -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEendkeyxz24318.scrdescription pid process target process PID 1964 wrote to memory of 1496 1964 EQNEDT32.EXE endkeyxz24318.scr PID 1964 wrote to memory of 1496 1964 EQNEDT32.EXE endkeyxz24318.scr PID 1964 wrote to memory of 1496 1964 EQNEDT32.EXE endkeyxz24318.scr PID 1964 wrote to memory of 1496 1964 EQNEDT32.EXE endkeyxz24318.scr PID 1496 wrote to memory of 1912 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1912 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1912 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1912 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 884 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 884 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 884 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 884 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1592 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1592 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1592 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1592 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1592 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1592 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1592 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1592 1496 endkeyxz24318.scr endkeyxz24318.scr PID 1496 wrote to memory of 1592 1496 endkeyxz24318.scr endkeyxz24318.scr
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\P-list - PO SO-203 1st Container.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\endkeyxz24318.scr"C:\Users\Admin\AppData\Roaming\endkeyxz24318.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\endkeyxz24318.scr"C:\Users\Admin\AppData\Roaming\endkeyxz24318.scr"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\endkeyxz24318.scr"C:\Users\Admin\AppData\Roaming\endkeyxz24318.scr"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\endkeyxz24318.scr"C:\Users\Admin\AppData\Roaming\endkeyxz24318.scr"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\endkeyxz24318.scrMD5
0eda2db28f1121fb5d2d6a4095f56c98
SHA1e8411d8e915aa02b75c4ccac0cd5bd322768c259
SHA2565838c36fc9065ba544f6fa76efd90ba3a2ab7242f684ffa9bdb4753f7f670ef8
SHA512c53fc68df0e055cf639215902640cf3bdbed082011481f334e69cd2a774198df6ca084e15489d7105d8c5d250feb2384b7b1f3c6bb45b34b0b7be5e227cbb248
-
C:\Users\Admin\AppData\Roaming\endkeyxz24318.scrMD5
0eda2db28f1121fb5d2d6a4095f56c98
SHA1e8411d8e915aa02b75c4ccac0cd5bd322768c259
SHA2565838c36fc9065ba544f6fa76efd90ba3a2ab7242f684ffa9bdb4753f7f670ef8
SHA512c53fc68df0e055cf639215902640cf3bdbed082011481f334e69cd2a774198df6ca084e15489d7105d8c5d250feb2384b7b1f3c6bb45b34b0b7be5e227cbb248
-
C:\Users\Admin\AppData\Roaming\endkeyxz24318.scrMD5
0eda2db28f1121fb5d2d6a4095f56c98
SHA1e8411d8e915aa02b75c4ccac0cd5bd322768c259
SHA2565838c36fc9065ba544f6fa76efd90ba3a2ab7242f684ffa9bdb4753f7f670ef8
SHA512c53fc68df0e055cf639215902640cf3bdbed082011481f334e69cd2a774198df6ca084e15489d7105d8c5d250feb2384b7b1f3c6bb45b34b0b7be5e227cbb248
-
C:\Users\Admin\AppData\Roaming\endkeyxz24318.scrMD5
0eda2db28f1121fb5d2d6a4095f56c98
SHA1e8411d8e915aa02b75c4ccac0cd5bd322768c259
SHA2565838c36fc9065ba544f6fa76efd90ba3a2ab7242f684ffa9bdb4753f7f670ef8
SHA512c53fc68df0e055cf639215902640cf3bdbed082011481f334e69cd2a774198df6ca084e15489d7105d8c5d250feb2384b7b1f3c6bb45b34b0b7be5e227cbb248
-
C:\Users\Admin\AppData\Roaming\endkeyxz24318.scrMD5
0eda2db28f1121fb5d2d6a4095f56c98
SHA1e8411d8e915aa02b75c4ccac0cd5bd322768c259
SHA2565838c36fc9065ba544f6fa76efd90ba3a2ab7242f684ffa9bdb4753f7f670ef8
SHA512c53fc68df0e055cf639215902640cf3bdbed082011481f334e69cd2a774198df6ca084e15489d7105d8c5d250feb2384b7b1f3c6bb45b34b0b7be5e227cbb248
-
\Users\Admin\AppData\Roaming\endkeyxz24318.scrMD5
0eda2db28f1121fb5d2d6a4095f56c98
SHA1e8411d8e915aa02b75c4ccac0cd5bd322768c259
SHA2565838c36fc9065ba544f6fa76efd90ba3a2ab7242f684ffa9bdb4753f7f670ef8
SHA512c53fc68df0e055cf639215902640cf3bdbed082011481f334e69cd2a774198df6ca084e15489d7105d8c5d250feb2384b7b1f3c6bb45b34b0b7be5e227cbb248
-
memory/1496-12-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/1496-11-0x000000006ACE0000-0x000000006B3CE000-memory.dmpFilesize
6.9MB
-
memory/1496-8-0x0000000000000000-mapping.dmp
-
memory/1496-13-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/1496-14-0x00000000004C0000-0x00000000004FF000-memory.dmpFilesize
252KB
-
memory/1572-6-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmpFilesize
2.5MB
-
memory/1592-20-0x000000006ACE0000-0x000000006B3CE000-memory.dmpFilesize
6.9MB
-
memory/1592-24-0x0000000004A81000-0x0000000004A82000-memory.dmpFilesize
4KB
-
memory/1592-23-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/1592-17-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1592-18-0x00000000004375FE-mapping.dmp
-
memory/1592-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1832-2-0x00000000721D1000-0x00000000721D4000-memory.dmpFilesize
12KB
-
memory/1832-3-0x000000006FC51000-0x000000006FC53000-memory.dmpFilesize
8KB
-
memory/1832-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1964-5-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB