Analysis
-
max time kernel
149s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 15:09
Static task
static1
Behavioral task
behavioral1
Sample
PO_001412.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PO_001412.doc
Resource
win10v20210410
General
-
Target
PO_001412.doc
-
Size
445KB
-
MD5
7eb650183d4d3a9c79d897d11d54547d
-
SHA1
7a4f83f1fcacc6402032bdc309dd91d3e36c2549
-
SHA256
4a97062cd26aaa6430826f03ab22cd25668218b53b34c374e885e5820ee264f2
-
SHA512
c4ecfe0a6a2a48691278d44a198d2826b7fa5246da9ff2c93086b490e6dbdfcd7ffdc7763c96e8cae9fddefb7633884e02f58a8934f156b44543403e96f4e061
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.phuboatrading-vn.com - Port:
587 - Username:
logs@phuboatrading-vn.com - Password:
of2ZCW1li4ipTfyE
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/528-78-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/528-79-0x000000000043767E-mapping.dmp family_agenttesla behavioral1/memory/528-81-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 524 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
ashley85323.exeashley85323.exeashley85323.exeashley85323.exepid process 1316 ashley85323.exe 1400 ashley85323.exe 988 ashley85323.exe 528 ashley85323.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 524 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ashley85323.exedescription pid process target process PID 1316 set thread context of 528 1316 ashley85323.exe ashley85323.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1768 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ashley85323.exeashley85323.exepid process 1316 ashley85323.exe 1316 ashley85323.exe 1316 ashley85323.exe 1316 ashley85323.exe 528 ashley85323.exe 528 ashley85323.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ashley85323.exeashley85323.exedescription pid process Token: SeDebugPrivilege 1316 ashley85323.exe Token: SeDebugPrivilege 528 ashley85323.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEashley85323.exepid process 1768 WINWORD.EXE 1768 WINWORD.EXE 528 ashley85323.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEashley85323.exedescription pid process target process PID 524 wrote to memory of 1316 524 EQNEDT32.EXE ashley85323.exe PID 524 wrote to memory of 1316 524 EQNEDT32.EXE ashley85323.exe PID 524 wrote to memory of 1316 524 EQNEDT32.EXE ashley85323.exe PID 524 wrote to memory of 1316 524 EQNEDT32.EXE ashley85323.exe PID 1768 wrote to memory of 1732 1768 WINWORD.EXE splwow64.exe PID 1768 wrote to memory of 1732 1768 WINWORD.EXE splwow64.exe PID 1768 wrote to memory of 1732 1768 WINWORD.EXE splwow64.exe PID 1768 wrote to memory of 1732 1768 WINWORD.EXE splwow64.exe PID 1316 wrote to memory of 1400 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 1400 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 1400 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 1400 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 988 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 988 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 988 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 988 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 528 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 528 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 528 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 528 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 528 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 528 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 528 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 528 1316 ashley85323.exe ashley85323.exe PID 1316 wrote to memory of 528 1316 ashley85323.exe ashley85323.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO_001412.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ashley85323.exe"C:\Users\Admin\AppData\Roaming\ashley85323.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ashley85323.exe"{path}"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ashley85323.exe"{path}"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ashley85323.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ashley85323.exeMD5
34d4452c1b344685e3f5fd7d0e9640a1
SHA1bb42e71329d2ad4baff54600020eb7053cc53026
SHA25665e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668
SHA512516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9
-
C:\Users\Admin\AppData\Roaming\ashley85323.exeMD5
34d4452c1b344685e3f5fd7d0e9640a1
SHA1bb42e71329d2ad4baff54600020eb7053cc53026
SHA25665e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668
SHA512516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9
-
C:\Users\Admin\AppData\Roaming\ashley85323.exeMD5
34d4452c1b344685e3f5fd7d0e9640a1
SHA1bb42e71329d2ad4baff54600020eb7053cc53026
SHA25665e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668
SHA512516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9
-
C:\Users\Admin\AppData\Roaming\ashley85323.exeMD5
34d4452c1b344685e3f5fd7d0e9640a1
SHA1bb42e71329d2ad4baff54600020eb7053cc53026
SHA25665e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668
SHA512516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9
-
C:\Users\Admin\AppData\Roaming\ashley85323.exeMD5
34d4452c1b344685e3f5fd7d0e9640a1
SHA1bb42e71329d2ad4baff54600020eb7053cc53026
SHA25665e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668
SHA512516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9
-
\Users\Admin\AppData\Roaming\ashley85323.exeMD5
34d4452c1b344685e3f5fd7d0e9640a1
SHA1bb42e71329d2ad4baff54600020eb7053cc53026
SHA25665e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668
SHA512516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9
-
memory/524-63-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/528-79-0x000000000043767E-mapping.dmp
-
memory/528-81-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/528-85-0x0000000004B21000-0x0000000004B22000-memory.dmpFilesize
4KB
-
memory/528-83-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/528-78-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1316-70-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/1316-71-0x00000000005D0000-0x00000000005DE000-memory.dmpFilesize
56KB
-
memory/1316-68-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/1316-74-0x0000000007D80000-0x0000000007E23000-memory.dmpFilesize
652KB
-
memory/1316-75-0x0000000005950000-0x00000000059B1000-memory.dmpFilesize
388KB
-
memory/1316-65-0x0000000000000000-mapping.dmp
-
memory/1732-73-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1732-72-0x0000000000000000-mapping.dmp
-
memory/1768-61-0x00000000707D1000-0x00000000707D3000-memory.dmpFilesize
8KB
-
memory/1768-60-0x0000000072D51000-0x0000000072D54000-memory.dmpFilesize
12KB
-
memory/1768-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1768-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB