Analysis
-
max time kernel
150s -
max time network
91s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-01-2021 11:39
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order nr53781.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Purchase Order nr53781.doc
Resource
win10v20201028
General
-
Target
Purchase Order nr53781.doc
-
Size
310KB
-
MD5
abf61590ceeb774adc2ecf02f799735b
-
SHA1
a336b3ba62e428c8eaa7d283ff029180dd77921c
-
SHA256
07f36154cb584be7679faa22398bf9f79ee95639964a73b1f31c0fec6883b842
-
SHA512
3f16dc8201eb065176d757b46ff0346dbeede8c28a33535ca09bdd87ece7ae3f95d4c10c21ac1f646ada5e4d4d697986bd478c9707059244fb3227038b3db3d8
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
polar.argondns.net - Port:
587 - Username:
[email protected] - Password:
]4&w8LUz9*LT
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1152-17-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1152-18-0x00000000004374BE-mapping.dmp family_agenttesla behavioral1/memory/1152-21-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1732 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
haitian574.scrhaitian574.scrhaitian574.scrpid process 1504 haitian574.scr 1212 haitian574.scr 1152 haitian574.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1732 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
haitian574.scrdescription pid process target process PID 1504 set thread context of 1152 1504 haitian574.scr haitian574.scr -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1096 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
haitian574.scrhaitian574.scrpid process 1504 haitian574.scr 1504 haitian574.scr 1152 haitian574.scr 1152 haitian574.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
haitian574.scrhaitian574.scrdescription pid process Token: SeDebugPrivilege 1504 haitian574.scr Token: SeDebugPrivilege 1152 haitian574.scr -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1096 WINWORD.EXE 1096 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEhaitian574.scrdescription pid process target process PID 1732 wrote to memory of 1504 1732 EQNEDT32.EXE haitian574.scr PID 1732 wrote to memory of 1504 1732 EQNEDT32.EXE haitian574.scr PID 1732 wrote to memory of 1504 1732 EQNEDT32.EXE haitian574.scr PID 1732 wrote to memory of 1504 1732 EQNEDT32.EXE haitian574.scr PID 1504 wrote to memory of 1212 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1212 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1212 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1212 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1152 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1152 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1152 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1152 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1152 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1152 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1152 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1152 1504 haitian574.scr haitian574.scr PID 1504 wrote to memory of 1152 1504 haitian574.scr haitian574.scr
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase Order nr53781.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\haitian574.scr"C:\Users\Admin\AppData\Roaming\haitian574.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\haitian574.scr"C:\Users\Admin\AppData\Roaming\haitian574.scr"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\haitian574.scr"C:\Users\Admin\AppData\Roaming\haitian574.scr"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\haitian574.scrMD5
c355692d41228d977213a283698069d3
SHA1cdd411a44fc46ee2a498574508610425a63109af
SHA256d39c4f9e017a562f5d60d3d8576b4dc0f360aed5be9804b7671c7bcaf9046a18
SHA5128672443fe1c36ba0329d5859ff7d5a9876c390259ef74104a1d29aec67f2af026dd6e3150b6c29a2ca466df6826b4ffd8d62a3abf86db73d9897fa852a86c971
-
C:\Users\Admin\AppData\Roaming\haitian574.scrMD5
c355692d41228d977213a283698069d3
SHA1cdd411a44fc46ee2a498574508610425a63109af
SHA256d39c4f9e017a562f5d60d3d8576b4dc0f360aed5be9804b7671c7bcaf9046a18
SHA5128672443fe1c36ba0329d5859ff7d5a9876c390259ef74104a1d29aec67f2af026dd6e3150b6c29a2ca466df6826b4ffd8d62a3abf86db73d9897fa852a86c971
-
C:\Users\Admin\AppData\Roaming\haitian574.scrMD5
c355692d41228d977213a283698069d3
SHA1cdd411a44fc46ee2a498574508610425a63109af
SHA256d39c4f9e017a562f5d60d3d8576b4dc0f360aed5be9804b7671c7bcaf9046a18
SHA5128672443fe1c36ba0329d5859ff7d5a9876c390259ef74104a1d29aec67f2af026dd6e3150b6c29a2ca466df6826b4ffd8d62a3abf86db73d9897fa852a86c971
-
C:\Users\Admin\AppData\Roaming\haitian574.scrMD5
c355692d41228d977213a283698069d3
SHA1cdd411a44fc46ee2a498574508610425a63109af
SHA256d39c4f9e017a562f5d60d3d8576b4dc0f360aed5be9804b7671c7bcaf9046a18
SHA5128672443fe1c36ba0329d5859ff7d5a9876c390259ef74104a1d29aec67f2af026dd6e3150b6c29a2ca466df6826b4ffd8d62a3abf86db73d9897fa852a86c971
-
\Users\Admin\AppData\Roaming\haitian574.scrMD5
c355692d41228d977213a283698069d3
SHA1cdd411a44fc46ee2a498574508610425a63109af
SHA256d39c4f9e017a562f5d60d3d8576b4dc0f360aed5be9804b7671c7bcaf9046a18
SHA5128672443fe1c36ba0329d5859ff7d5a9876c390259ef74104a1d29aec67f2af026dd6e3150b6c29a2ca466df6826b4ffd8d62a3abf86db73d9897fa852a86c971
-
memory/1096-14-0x0000000001DC0000-0x0000000001DC1000-memory.dmpFilesize
4KB
-
memory/1096-3-0x00000000708A1000-0x00000000708A3000-memory.dmpFilesize
8KB
-
memory/1096-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1096-2-0x0000000072E21000-0x0000000072E24000-memory.dmpFilesize
12KB
-
memory/1152-17-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1152-18-0x00000000004374BE-mapping.dmp
-
memory/1152-20-0x000000006BA40000-0x000000006C12E000-memory.dmpFilesize
6.9MB
-
memory/1152-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1152-23-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/1152-24-0x0000000004B21000-0x0000000004B22000-memory.dmpFilesize
4KB
-
memory/1504-12-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1504-13-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/1504-11-0x000000006BA40000-0x000000006C12E000-memory.dmpFilesize
6.9MB
-
memory/1504-15-0x0000000002240000-0x000000000227E000-memory.dmpFilesize
248KB
-
memory/1504-8-0x0000000000000000-mapping.dmp
-
memory/1732-5-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/1764-6-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmpFilesize
2.5MB