Analysis
-
max time kernel
150s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 05:48
Static task
static1
Behavioral task
behavioral1
Sample
DAIMON SWIFT 25-02-2021 -.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DAIMON SWIFT 25-02-2021 -.doc
Resource
win10v20201028
General
-
Target
DAIMON SWIFT 25-02-2021 -.doc
-
Size
740KB
-
MD5
f556e94a8fe233d397c37c1bd65eca78
-
SHA1
784969f871b49ae0ff3ad76dc331950bdbbd39bc
-
SHA256
d897f9f36f09b0e3618b0ed8387a4e7e45a0c154959f4d5cb9b8d8cb136892a5
-
SHA512
761c019df1f1e1f038018eb1538e1e21c2daca7c283e6a4e13c0103903bf3533202c66a2b61647a559fdaa6bfd6eaec7e7ac640d41e35c61d77252fda93867f5
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.microhydrotechnic.co.in - Port:
587 - Username:
[email protected] - Password:
saibaba@1974
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1444-21-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1444-22-0x00000000004374BE-mapping.dmp family_agenttesla behavioral1/memory/1444-25-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 3 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1808 EQNEDT32.EXE 8 1808 EQNEDT32.EXE 10 1808 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
69577.exe69577.exepid process 916 69577.exe 1444 69577.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1808 EQNEDT32.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
69577.exedescription pid process target process PID 916 set thread context of 1444 916 69577.exe 69577.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1944 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
69577.exepid process 1444 69577.exe 1444 69577.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
69577.exe69577.exedescription pid process Token: SeDebugPrivilege 916 69577.exe Token: SeDebugPrivilege 1444 69577.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1944 WINWORD.EXE 1944 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.exedescription pid process target process PID 1944 wrote to memory of 2004 1944 WINWORD.EXE splwow64.exe PID 1944 wrote to memory of 2004 1944 WINWORD.EXE splwow64.exe PID 1944 wrote to memory of 2004 1944 WINWORD.EXE splwow64.exe PID 1944 wrote to memory of 2004 1944 WINWORD.EXE splwow64.exe PID 1808 wrote to memory of 916 1808 EQNEDT32.EXE 69577.exe PID 1808 wrote to memory of 916 1808 EQNEDT32.EXE 69577.exe PID 1808 wrote to memory of 916 1808 EQNEDT32.EXE 69577.exe PID 1808 wrote to memory of 916 1808 EQNEDT32.EXE 69577.exe PID 916 wrote to memory of 1196 916 69577.exe schtasks.exe PID 916 wrote to memory of 1196 916 69577.exe schtasks.exe PID 916 wrote to memory of 1196 916 69577.exe schtasks.exe PID 916 wrote to memory of 1196 916 69577.exe schtasks.exe PID 916 wrote to memory of 1444 916 69577.exe 69577.exe PID 916 wrote to memory of 1444 916 69577.exe 69577.exe PID 916 wrote to memory of 1444 916 69577.exe 69577.exe PID 916 wrote to memory of 1444 916 69577.exe 69577.exe PID 916 wrote to memory of 1444 916 69577.exe 69577.exe PID 916 wrote to memory of 1444 916 69577.exe 69577.exe PID 916 wrote to memory of 1444 916 69577.exe 69577.exe PID 916 wrote to memory of 1444 916 69577.exe 69577.exe PID 916 wrote to memory of 1444 916 69577.exe 69577.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DAIMON SWIFT 25-02-2021 -.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2004
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ATnEOHuleKEd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC52.tmp"3⤵
- Creates scheduled task(s)
PID:1196 -
C:\Users\Public\69577.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEC52.tmpMD5
c7d114f416d3da9b8596c53f5c9ea4af
SHA1f597d7adffa27c45e253bc199177406b3a1b3314
SHA25668cfc241437ba6eeb97beb3c5ab11cd8713097e6f8e87f16b51177d5dc9ccedb
SHA51233e448ff3472257fdbd02fd6516c8aa800b37502df0b464f7796138d6cfdfef6d934816c319f0353854bdd5268623647ae07511397c5ba44ea947df83d23e7c1
-
C:\Users\Public\69577.exeMD5
e87fd305545cf2e642fee18b57bb5252
SHA156fb770cfd829873cd4e45941969335ff98ad0ef
SHA256655f621c3d3f6a7da99b1c332ab6dc1d4d9aae9cdef583360c480de982884513
SHA512fb12f831515aefe3c39c60a8ec9f96febbef5a31c2013e36337ec31191bcebd92e62410d8618ce62860ebfbfd986120624340c5e00d01041afb103a44ef274a2
-
C:\Users\Public\69577.exeMD5
e87fd305545cf2e642fee18b57bb5252
SHA156fb770cfd829873cd4e45941969335ff98ad0ef
SHA256655f621c3d3f6a7da99b1c332ab6dc1d4d9aae9cdef583360c480de982884513
SHA512fb12f831515aefe3c39c60a8ec9f96febbef5a31c2013e36337ec31191bcebd92e62410d8618ce62860ebfbfd986120624340c5e00d01041afb103a44ef274a2
-
C:\Users\Public\69577.exeMD5
e87fd305545cf2e642fee18b57bb5252
SHA156fb770cfd829873cd4e45941969335ff98ad0ef
SHA256655f621c3d3f6a7da99b1c332ab6dc1d4d9aae9cdef583360c480de982884513
SHA512fb12f831515aefe3c39c60a8ec9f96febbef5a31c2013e36337ec31191bcebd92e62410d8618ce62860ebfbfd986120624340c5e00d01041afb103a44ef274a2
-
\Users\Public\69577.exeMD5
e87fd305545cf2e642fee18b57bb5252
SHA156fb770cfd829873cd4e45941969335ff98ad0ef
SHA256655f621c3d3f6a7da99b1c332ab6dc1d4d9aae9cdef583360c480de982884513
SHA512fb12f831515aefe3c39c60a8ec9f96febbef5a31c2013e36337ec31191bcebd92e62410d8618ce62860ebfbfd986120624340c5e00d01041afb103a44ef274a2
-
memory/544-8-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmpFilesize
2.5MB
-
memory/916-14-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/916-18-0x0000000005120000-0x00000000051A6000-memory.dmpFilesize
536KB
-
memory/916-17-0x00000000004B0000-0x00000000004BB000-memory.dmpFilesize
44KB
-
memory/916-16-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/916-10-0x0000000000000000-mapping.dmp
-
memory/916-13-0x000000006B4D0000-0x000000006BBBE000-memory.dmpFilesize
6.9MB
-
memory/1196-19-0x0000000000000000-mapping.dmp
-
memory/1444-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1444-22-0x00000000004374BE-mapping.dmp
-
memory/1444-24-0x000000006B4D0000-0x000000006BBBE000-memory.dmpFilesize
6.9MB
-
memory/1444-25-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1444-27-0x0000000004760000-0x0000000004761000-memory.dmpFilesize
4KB
-
memory/1808-7-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1944-2-0x0000000072B21000-0x0000000072B24000-memory.dmpFilesize
12KB
-
memory/1944-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1944-3-0x00000000705A1000-0x00000000705A3000-memory.dmpFilesize
8KB
-
memory/2004-5-0x0000000000000000-mapping.dmp
-
memory/2004-6-0x000007FEFC021000-0x000007FEFC023000-memory.dmpFilesize
8KB