Analysis
-
max time kernel
131s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 14:03
Static task
static1
Behavioral task
behavioral1
Sample
LM Approved Invoice-04-05-2021.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
LM Approved Invoice-04-05-2021.doc
Resource
win10v20210410
General
-
Target
LM Approved Invoice-04-05-2021.doc
-
Size
3.8MB
-
MD5
95f8e935279c289154b784d37bfdbae7
-
SHA1
3e711dc23a09ef291f95b7e06c9ba708e35dbe95
-
SHA256
4caa64908b36893b18dca45402ee03d15381c605b6c0f07497f209f73a1c038d
-
SHA512
cb7d9d0849087f0800fb1dec9185debe1b3baae0244ac62e32adcf49e2058df29514b801b2802a35c4acc33c2d142a84ebbc27f91e8f95f104d4a519b8efc5bb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.nilkarnal.com - Port:
587 - Username:
logs@nilkarnal.com - Password:
company1960
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1980-81-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1980-82-0x00000000004375FE-mapping.dmp family_agenttesla behavioral1/memory/1980-84-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1156 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
KSDHFU.exeKSDHFU.exepid process 748 KSDHFU.exe 1980 KSDHFU.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1156 EQNEDT32.EXE 1156 EQNEDT32.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KSDHFU.exedescription pid process target process PID 748 set thread context of 1980 748 KSDHFU.exe KSDHFU.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1088 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
KSDHFU.exepid process 1980 KSDHFU.exe 1980 KSDHFU.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
KSDHFU.exedescription pid process Token: SeDebugPrivilege 1980 KSDHFU.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEKSDHFU.exepid process 1088 WINWORD.EXE 1088 WINWORD.EXE 748 KSDHFU.exe 748 KSDHFU.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEKSDHFU.exedescription pid process target process PID 1156 wrote to memory of 748 1156 EQNEDT32.EXE KSDHFU.exe PID 1156 wrote to memory of 748 1156 EQNEDT32.EXE KSDHFU.exe PID 1156 wrote to memory of 748 1156 EQNEDT32.EXE KSDHFU.exe PID 1156 wrote to memory of 748 1156 EQNEDT32.EXE KSDHFU.exe PID 1088 wrote to memory of 1612 1088 WINWORD.EXE splwow64.exe PID 1088 wrote to memory of 1612 1088 WINWORD.EXE splwow64.exe PID 1088 wrote to memory of 1612 1088 WINWORD.EXE splwow64.exe PID 1088 wrote to memory of 1612 1088 WINWORD.EXE splwow64.exe PID 748 wrote to memory of 384 748 KSDHFU.exe schtasks.exe PID 748 wrote to memory of 384 748 KSDHFU.exe schtasks.exe PID 748 wrote to memory of 384 748 KSDHFU.exe schtasks.exe PID 748 wrote to memory of 384 748 KSDHFU.exe schtasks.exe PID 748 wrote to memory of 1980 748 KSDHFU.exe KSDHFU.exe PID 748 wrote to memory of 1980 748 KSDHFU.exe KSDHFU.exe PID 748 wrote to memory of 1980 748 KSDHFU.exe KSDHFU.exe PID 748 wrote to memory of 1980 748 KSDHFU.exe KSDHFU.exe PID 748 wrote to memory of 1980 748 KSDHFU.exe KSDHFU.exe PID 748 wrote to memory of 1980 748 KSDHFU.exe KSDHFU.exe PID 748 wrote to memory of 1980 748 KSDHFU.exe KSDHFU.exe PID 748 wrote to memory of 1980 748 KSDHFU.exe KSDHFU.exe PID 748 wrote to memory of 1980 748 KSDHFU.exe KSDHFU.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\LM Approved Invoice-04-05-2021.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\KSDHFU.exeC:\Users\Admin\AppData\Roaming\KSDHFU.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AhuFCWIiU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp45C7.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\KSDHFU.exe"C:\Users\Admin\AppData\Roaming\KSDHFU.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp45C7.tmpMD5
01dc1ed1183dc0aa981275637d3e81bf
SHA144b95374dd34571b7085e70c14fa4d04a4636942
SHA2569295bd678071e53a8e22896a37191e2f573f3a479e03f718f9b3878435be33a1
SHA512c92c63e99e3b6af93646976afce6776620effb64b35bbd5da77da6f1ae5aa2e3f1aed002fa81ef9cc06886d80cb620f639e64fe09ce2f529813fa6db67c5cec2
-
C:\Users\Admin\AppData\Roaming\KSDHFU.exeMD5
9dfaa6afc47f0bf01155b7f8253f719b
SHA10e82d1395e219ed0400959e6315675fdd03f0a54
SHA256fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f
SHA51295f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e
-
C:\Users\Admin\AppData\Roaming\KSDHFU.exeMD5
9dfaa6afc47f0bf01155b7f8253f719b
SHA10e82d1395e219ed0400959e6315675fdd03f0a54
SHA256fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f
SHA51295f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e
-
C:\Users\Admin\AppData\Roaming\KSDHFU.exeMD5
9dfaa6afc47f0bf01155b7f8253f719b
SHA10e82d1395e219ed0400959e6315675fdd03f0a54
SHA256fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f
SHA51295f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e
-
\Users\Admin\AppData\Roaming\KSDHFU.exeMD5
9dfaa6afc47f0bf01155b7f8253f719b
SHA10e82d1395e219ed0400959e6315675fdd03f0a54
SHA256fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f
SHA51295f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e
-
\Users\Admin\AppData\Roaming\KSDHFU.exeMD5
9dfaa6afc47f0bf01155b7f8253f719b
SHA10e82d1395e219ed0400959e6315675fdd03f0a54
SHA256fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f
SHA51295f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e
-
memory/384-79-0x0000000000000000-mapping.dmp
-
memory/748-71-0x0000000004B81000-0x0000000004B82000-memory.dmpFilesize
4KB
-
memory/748-65-0x0000000000000000-mapping.dmp
-
memory/748-68-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/748-70-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/748-72-0x0000000004B82000-0x0000000004B83000-memory.dmpFilesize
4KB
-
memory/748-78-0x0000000004980000-0x00000000049BE000-memory.dmpFilesize
248KB
-
memory/748-73-0x00000000004E0000-0x00000000004EE000-memory.dmpFilesize
56KB
-
memory/748-77-0x0000000005190000-0x000000000520B000-memory.dmpFilesize
492KB
-
memory/1088-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1088-59-0x0000000072DB1000-0x0000000072DB4000-memory.dmpFilesize
12KB
-
memory/1088-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1088-60-0x0000000070831000-0x0000000070833000-memory.dmpFilesize
8KB
-
memory/1156-62-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1612-75-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmpFilesize
8KB
-
memory/1612-74-0x0000000000000000-mapping.dmp
-
memory/1980-81-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1980-82-0x00000000004375FE-mapping.dmp
-
memory/1980-84-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1980-86-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB