Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-04-2021 18:26
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Purchase Order.doc
Resource
win10v20210410
General
-
Target
Purchase Order.doc
-
Size
4KB
-
MD5
9ef6eb1c4c2bc4c409fc59e4bbf36854
-
SHA1
e4e956b1f7e500073bab3ccef88e6c4bf784c663
-
SHA256
9aec6bdb253c4e34d6f4629baadc8a01d4674ac5bd084b791820160ed27d2b2b
-
SHA512
45764eb0feb82a7da251461fcf02e56e7b6468a4f45c89f8b3a9826cc81444d50126ad0595d7c19e3e551530763ee8fe94a37423316dd102e990a71fb829d1ca
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
prodip@precisionenergy.me - Password:
@Mexico1.,
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1004-77-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1004-78-0x00000000004375CE-mapping.dmp family_agenttesla behavioral1/memory/1004-80-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1580 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
biggest.exebiggest.exepid process 1000 biggest.exe 1004 biggest.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1580 EQNEDT32.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
biggest.exedescription pid process target process PID 1000 set thread context of 1004 1000 biggest.exe biggest.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1820 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
biggest.exebiggest.exepid process 1000 biggest.exe 1004 biggest.exe 1004 biggest.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
biggest.exebiggest.exedescription pid process Token: SeDebugPrivilege 1000 biggest.exe Token: SeDebugPrivilege 1004 biggest.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1820 WINWORD.EXE 1820 WINWORD.EXE 1820 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEbiggest.exedescription pid process target process PID 1580 wrote to memory of 1000 1580 EQNEDT32.EXE biggest.exe PID 1580 wrote to memory of 1000 1580 EQNEDT32.EXE biggest.exe PID 1580 wrote to memory of 1000 1580 EQNEDT32.EXE biggest.exe PID 1580 wrote to memory of 1000 1580 EQNEDT32.EXE biggest.exe PID 1820 wrote to memory of 1696 1820 WINWORD.EXE splwow64.exe PID 1820 wrote to memory of 1696 1820 WINWORD.EXE splwow64.exe PID 1820 wrote to memory of 1696 1820 WINWORD.EXE splwow64.exe PID 1820 wrote to memory of 1696 1820 WINWORD.EXE splwow64.exe PID 1000 wrote to memory of 900 1000 biggest.exe schtasks.exe PID 1000 wrote to memory of 900 1000 biggest.exe schtasks.exe PID 1000 wrote to memory of 900 1000 biggest.exe schtasks.exe PID 1000 wrote to memory of 900 1000 biggest.exe schtasks.exe PID 1000 wrote to memory of 1004 1000 biggest.exe biggest.exe PID 1000 wrote to memory of 1004 1000 biggest.exe biggest.exe PID 1000 wrote to memory of 1004 1000 biggest.exe biggest.exe PID 1000 wrote to memory of 1004 1000 biggest.exe biggest.exe PID 1000 wrote to memory of 1004 1000 biggest.exe biggest.exe PID 1000 wrote to memory of 1004 1000 biggest.exe biggest.exe PID 1000 wrote to memory of 1004 1000 biggest.exe biggest.exe PID 1000 wrote to memory of 1004 1000 biggest.exe biggest.exe PID 1000 wrote to memory of 1004 1000 biggest.exe biggest.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase Order.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\biggest.exe"C:\Users\Admin\AppData\Roaming\biggest.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGbuSl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE3D9.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\biggest.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE3D9.tmpMD5
837266c7e0bcaea7b14bf4729f03e789
SHA19ee8946cb3b4b7abb24f18709dd5b85abcb62a25
SHA25636ebb612446f4ec480ad5d844d49bf2bcb2d33f7adc3f6394b092900b6cb6582
SHA512ec0a229dadf0d0b9568c2dcdc262cf3861d77664b72e222bff1390de28b2d38f629a42feb59d61767ef2b611255adde772a9985e914985910586d05c9583987d
-
C:\Users\Admin\AppData\Roaming\biggest.exeMD5
30bd38d2a90db3510019a3fe7dae45cd
SHA1ac16719ecd9103689f42ee1719eb6f1b444dba4b
SHA2565d2ecd7210251e5d86670bd25655976536c0ac15f65185ea7003467be2ee5b19
SHA512a41ed21642beee783f844d7eac920d2edcab180def732afcbd5d021bf8a72c09a2fe33ab6da5980dabca3230c4a0e73af29ee883bfac2e94aac71cdbd595be84
-
C:\Users\Admin\AppData\Roaming\biggest.exeMD5
30bd38d2a90db3510019a3fe7dae45cd
SHA1ac16719ecd9103689f42ee1719eb6f1b444dba4b
SHA2565d2ecd7210251e5d86670bd25655976536c0ac15f65185ea7003467be2ee5b19
SHA512a41ed21642beee783f844d7eac920d2edcab180def732afcbd5d021bf8a72c09a2fe33ab6da5980dabca3230c4a0e73af29ee883bfac2e94aac71cdbd595be84
-
C:\Users\Admin\AppData\Roaming\biggest.exeMD5
30bd38d2a90db3510019a3fe7dae45cd
SHA1ac16719ecd9103689f42ee1719eb6f1b444dba4b
SHA2565d2ecd7210251e5d86670bd25655976536c0ac15f65185ea7003467be2ee5b19
SHA512a41ed21642beee783f844d7eac920d2edcab180def732afcbd5d021bf8a72c09a2fe33ab6da5980dabca3230c4a0e73af29ee883bfac2e94aac71cdbd595be84
-
\Users\Admin\AppData\Roaming\biggest.exeMD5
30bd38d2a90db3510019a3fe7dae45cd
SHA1ac16719ecd9103689f42ee1719eb6f1b444dba4b
SHA2565d2ecd7210251e5d86670bd25655976536c0ac15f65185ea7003467be2ee5b19
SHA512a41ed21642beee783f844d7eac920d2edcab180def732afcbd5d021bf8a72c09a2fe33ab6da5980dabca3230c4a0e73af29ee883bfac2e94aac71cdbd595be84
-
memory/900-75-0x0000000000000000-mapping.dmp
-
memory/1000-64-0x0000000000000000-mapping.dmp
-
memory/1000-67-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/1000-69-0x0000000007340000-0x0000000007341000-memory.dmpFilesize
4KB
-
memory/1000-72-0x00000000002D0000-0x00000000002D5000-memory.dmpFilesize
20KB
-
memory/1000-73-0x0000000008450000-0x00000000084FF000-memory.dmpFilesize
700KB
-
memory/1000-74-0x0000000002340000-0x00000000023A9000-memory.dmpFilesize
420KB
-
memory/1004-77-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-82-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/1004-80-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-78-0x00000000004375CE-mapping.dmp
-
memory/1580-62-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1696-71-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmpFilesize
8KB
-
memory/1696-70-0x0000000000000000-mapping.dmp
-
memory/1820-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1820-60-0x0000000070451000-0x0000000070453000-memory.dmpFilesize
8KB
-
memory/1820-59-0x00000000729D1000-0x00000000729D4000-memory.dmpFilesize
12KB
-
memory/1820-83-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB