Analysis
-
max time kernel
127s -
max time network
30s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 06:25
Static task
static1
Behavioral task
behavioral1
Sample
tesla enquiries.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
tesla enquiries.doc
Resource
win10v20201028
General
-
Target
tesla enquiries.doc
-
Size
132KB
-
MD5
85585f5162a053f177019cec24e86375
-
SHA1
720f60ada0426fe82aabaa4c3f8db95c2e09b07a
-
SHA256
9c9d3701bb36c5fc3498ca7d57d553ee644ddd6daa8e551b80b2d109bdd08d35
-
SHA512
6f1f1fae3a7d5a16611df9f46e78b57d72721499b7ad7b79bc2054d71b02c9245338a8f6ffd19e4b23944ae511c08c9eb02e788bbe26e5b940703b41bd9c38ea
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.orienttech.com.qa - Port:
587 - Username:
[email protected] - Password:
Op{^fLb9gN[!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1624-20-0x00000000004374AE-mapping.dmp family_agenttesla behavioral1/memory/1624-19-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1624-24-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1956 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
joe6541.exejoe6541.exepid process 928 joe6541.exe 1624 joe6541.exe -
Loads dropped DLL 7 IoCs
Processes:
EQNEDT32.EXEWerFault.exepid process 1956 EQNEDT32.EXE 1956 EQNEDT32.EXE 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
joe6541.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" joe6541.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
joe6541.exepid process 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
joe6541.exedescription pid process target process PID 928 set thread context of 1624 928 joe6541.exe joe6541.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1496 928 WerFault.exe joe6541.exe -
Office loads VBA resources, possible macro or embedded object present
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1840 timeout.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1108 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
joe6541.exejoe6541.exeWerFault.exepid process 928 joe6541.exe 928 joe6541.exe 928 joe6541.exe 1624 joe6541.exe 1624 joe6541.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
joe6541.exejoe6541.exeWerFault.exedescription pid process Token: SeDebugPrivilege 928 joe6541.exe Token: SeDebugPrivilege 1624 joe6541.exe Token: SeDebugPrivilege 1496 WerFault.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEjoe6541.exepid process 1108 WINWORD.EXE 1108 WINWORD.EXE 1624 joe6541.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEjoe6541.execmd.exedescription pid process target process PID 1956 wrote to memory of 928 1956 EQNEDT32.EXE joe6541.exe PID 1956 wrote to memory of 928 1956 EQNEDT32.EXE joe6541.exe PID 1956 wrote to memory of 928 1956 EQNEDT32.EXE joe6541.exe PID 1956 wrote to memory of 928 1956 EQNEDT32.EXE joe6541.exe PID 928 wrote to memory of 1988 928 joe6541.exe cmd.exe PID 928 wrote to memory of 1988 928 joe6541.exe cmd.exe PID 928 wrote to memory of 1988 928 joe6541.exe cmd.exe PID 928 wrote to memory of 1988 928 joe6541.exe cmd.exe PID 1988 wrote to memory of 1840 1988 cmd.exe timeout.exe PID 1988 wrote to memory of 1840 1988 cmd.exe timeout.exe PID 1988 wrote to memory of 1840 1988 cmd.exe timeout.exe PID 1988 wrote to memory of 1840 1988 cmd.exe timeout.exe PID 928 wrote to memory of 1624 928 joe6541.exe joe6541.exe PID 928 wrote to memory of 1624 928 joe6541.exe joe6541.exe PID 928 wrote to memory of 1624 928 joe6541.exe joe6541.exe PID 928 wrote to memory of 1624 928 joe6541.exe joe6541.exe PID 928 wrote to memory of 1624 928 joe6541.exe joe6541.exe PID 928 wrote to memory of 1624 928 joe6541.exe joe6541.exe PID 928 wrote to memory of 1624 928 joe6541.exe joe6541.exe PID 928 wrote to memory of 1624 928 joe6541.exe joe6541.exe PID 928 wrote to memory of 1624 928 joe6541.exe joe6541.exe PID 928 wrote to memory of 1496 928 joe6541.exe WerFault.exe PID 928 wrote to memory of 1496 928 joe6541.exe WerFault.exe PID 928 wrote to memory of 1496 928 joe6541.exe WerFault.exe PID 928 wrote to memory of 1496 928 joe6541.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tesla enquiries.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1108
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Roaming\joe6541.exe"C:\Users\Admin\AppData\Roaming\joe6541.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 13⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
PID:1840 -
C:\Users\Admin\AppData\Roaming\joe6541.exe"C:\Users\Admin\AppData\Roaming\joe6541.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 11203⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\joe6541.exeMD5
9decf18e822a2b03210185facccba692
SHA1620b31f55ddad8ae34067f945cc0b7a7933e8538
SHA25617a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
SHA512e0f8b91244e0fe7f0e734599957c59dd4afdbad2fa6b8b7f97f7c792855b8ef8667406c89fcc195c6612a606338cff6ce5bb91f512c17399e37ef47a0f4f47ad
-
C:\Users\Admin\AppData\Roaming\joe6541.exeMD5
9decf18e822a2b03210185facccba692
SHA1620b31f55ddad8ae34067f945cc0b7a7933e8538
SHA25617a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
SHA512e0f8b91244e0fe7f0e734599957c59dd4afdbad2fa6b8b7f97f7c792855b8ef8667406c89fcc195c6612a606338cff6ce5bb91f512c17399e37ef47a0f4f47ad
-
C:\Users\Admin\AppData\Roaming\joe6541.exeMD5
9decf18e822a2b03210185facccba692
SHA1620b31f55ddad8ae34067f945cc0b7a7933e8538
SHA25617a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
SHA512e0f8b91244e0fe7f0e734599957c59dd4afdbad2fa6b8b7f97f7c792855b8ef8667406c89fcc195c6612a606338cff6ce5bb91f512c17399e37ef47a0f4f47ad
-
\Users\Admin\AppData\Roaming\joe6541.exeMD5
9decf18e822a2b03210185facccba692
SHA1620b31f55ddad8ae34067f945cc0b7a7933e8538
SHA25617a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
SHA512e0f8b91244e0fe7f0e734599957c59dd4afdbad2fa6b8b7f97f7c792855b8ef8667406c89fcc195c6612a606338cff6ce5bb91f512c17399e37ef47a0f4f47ad
-
\Users\Admin\AppData\Roaming\joe6541.exeMD5
9decf18e822a2b03210185facccba692
SHA1620b31f55ddad8ae34067f945cc0b7a7933e8538
SHA25617a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
SHA512e0f8b91244e0fe7f0e734599957c59dd4afdbad2fa6b8b7f97f7c792855b8ef8667406c89fcc195c6612a606338cff6ce5bb91f512c17399e37ef47a0f4f47ad
-
\Users\Admin\AppData\Roaming\joe6541.exeMD5
9decf18e822a2b03210185facccba692
SHA1620b31f55ddad8ae34067f945cc0b7a7933e8538
SHA25617a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
SHA512e0f8b91244e0fe7f0e734599957c59dd4afdbad2fa6b8b7f97f7c792855b8ef8667406c89fcc195c6612a606338cff6ce5bb91f512c17399e37ef47a0f4f47ad
-
\Users\Admin\AppData\Roaming\joe6541.exeMD5
9decf18e822a2b03210185facccba692
SHA1620b31f55ddad8ae34067f945cc0b7a7933e8538
SHA25617a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
SHA512e0f8b91244e0fe7f0e734599957c59dd4afdbad2fa6b8b7f97f7c792855b8ef8667406c89fcc195c6612a606338cff6ce5bb91f512c17399e37ef47a0f4f47ad
-
\Users\Admin\AppData\Roaming\joe6541.exeMD5
9decf18e822a2b03210185facccba692
SHA1620b31f55ddad8ae34067f945cc0b7a7933e8538
SHA25617a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
SHA512e0f8b91244e0fe7f0e734599957c59dd4afdbad2fa6b8b7f97f7c792855b8ef8667406c89fcc195c6612a606338cff6ce5bb91f512c17399e37ef47a0f4f47ad
-
\Users\Admin\AppData\Roaming\joe6541.exeMD5
9decf18e822a2b03210185facccba692
SHA1620b31f55ddad8ae34067f945cc0b7a7933e8538
SHA25617a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
SHA512e0f8b91244e0fe7f0e734599957c59dd4afdbad2fa6b8b7f97f7c792855b8ef8667406c89fcc195c6612a606338cff6ce5bb91f512c17399e37ef47a0f4f47ad
-
\Users\Admin\AppData\Roaming\joe6541.exeMD5
9decf18e822a2b03210185facccba692
SHA1620b31f55ddad8ae34067f945cc0b7a7933e8538
SHA25617a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
SHA512e0f8b91244e0fe7f0e734599957c59dd4afdbad2fa6b8b7f97f7c792855b8ef8667406c89fcc195c6612a606338cff6ce5bb91f512c17399e37ef47a0f4f47ad
-
memory/928-12-0x000000006B190000-0x000000006B87E000-memory.dmpFilesize
6.9MB
-
memory/928-13-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/928-15-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/928-16-0x0000000000250000-0x0000000000297000-memory.dmpFilesize
284KB
-
memory/928-9-0x0000000000000000-mapping.dmp
-
memory/1108-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1108-3-0x000000006FFD1000-0x000000006FFD3000-memory.dmpFilesize
8KB
-
memory/1108-2-0x0000000072551000-0x0000000072554000-memory.dmpFilesize
12KB
-
memory/1400-6-0x000007FEF7510000-0x000007FEF778A000-memory.dmpFilesize
2.5MB
-
memory/1496-33-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/1496-26-0x0000000001EE0000-0x0000000001EF1000-memory.dmpFilesize
68KB
-
memory/1496-23-0x0000000000000000-mapping.dmp
-
memory/1624-24-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-22-0x000000006B190000-0x000000006B87E000-memory.dmpFilesize
6.9MB
-
memory/1624-19-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-20-0x00000000004374AE-mapping.dmp
-
memory/1624-32-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/1624-34-0x00000000003A1000-0x00000000003A2000-memory.dmpFilesize
4KB
-
memory/1840-18-0x0000000000000000-mapping.dmp
-
memory/1956-5-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB
-
memory/1988-17-0x0000000000000000-mapping.dmp