Analysis
-
max time kernel
127s -
max time network
160s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 07:49
Static task
static1
Behavioral task
behavioral1
Sample
RFQ No3756368.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RFQ No3756368.doc
Resource
win10v20210410
General
-
Target
RFQ No3756368.doc
-
Size
75KB
-
MD5
b156ed4230557289721a0256a6aa23ea
-
SHA1
59d8da9d1c4ec783f59d9c6ba330e4392151cb9a
-
SHA256
8e97e85fd5881e5f4f31f95f5bc13de014ab3a3f278fec651f5208a73f22259e
-
SHA512
8c1e68f8f497becf235c453c23eab1638ca4ceb283e92ab221ec366ed24b10152e4e2301fbf3739f095dc32c4b3f6fcec3432d587440fe54d4e2d6e7c6ef2d91
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.camerapro.co.za - Port:
587 - Username:
orders@camerapro.co.za - Password:
JJJ65259sss
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1644-77-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1644-78-0x000000000043762E-mapping.dmp family_agenttesla behavioral1/memory/1644-80-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1216 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
odogwu98741.exeodogwu98741.exepid process 1692 odogwu98741.exe 1644 odogwu98741.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1216 EQNEDT32.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
odogwu98741.exedescription pid process target process PID 1692 set thread context of 1644 1692 odogwu98741.exe odogwu98741.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1832 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
odogwu98741.exepid process 1644 odogwu98741.exe 1644 odogwu98741.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
odogwu98741.exeodogwu98741.exedescription pid process Token: SeDebugPrivilege 1692 odogwu98741.exe Token: SeDebugPrivilege 1644 odogwu98741.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1832 WINWORD.EXE 1832 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEodogwu98741.exedescription pid process target process PID 1216 wrote to memory of 1692 1216 EQNEDT32.EXE odogwu98741.exe PID 1216 wrote to memory of 1692 1216 EQNEDT32.EXE odogwu98741.exe PID 1216 wrote to memory of 1692 1216 EQNEDT32.EXE odogwu98741.exe PID 1216 wrote to memory of 1692 1216 EQNEDT32.EXE odogwu98741.exe PID 1832 wrote to memory of 1552 1832 WINWORD.EXE splwow64.exe PID 1832 wrote to memory of 1552 1832 WINWORD.EXE splwow64.exe PID 1832 wrote to memory of 1552 1832 WINWORD.EXE splwow64.exe PID 1832 wrote to memory of 1552 1832 WINWORD.EXE splwow64.exe PID 1692 wrote to memory of 1644 1692 odogwu98741.exe odogwu98741.exe PID 1692 wrote to memory of 1644 1692 odogwu98741.exe odogwu98741.exe PID 1692 wrote to memory of 1644 1692 odogwu98741.exe odogwu98741.exe PID 1692 wrote to memory of 1644 1692 odogwu98741.exe odogwu98741.exe PID 1692 wrote to memory of 1644 1692 odogwu98741.exe odogwu98741.exe PID 1692 wrote to memory of 1644 1692 odogwu98741.exe odogwu98741.exe PID 1692 wrote to memory of 1644 1692 odogwu98741.exe odogwu98741.exe PID 1692 wrote to memory of 1644 1692 odogwu98741.exe odogwu98741.exe PID 1692 wrote to memory of 1644 1692 odogwu98741.exe odogwu98741.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ No3756368.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\odogwu98741.exe"C:\Users\Admin\AppData\Roaming\odogwu98741.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\odogwu98741.exe"C:\Users\Admin\AppData\Roaming\odogwu98741.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\odogwu98741.exeMD5
9c0421b87aa0703d72fe9b405938eecc
SHA140c2016e003fc0c1268251aba63bbcffd7658280
SHA2568b987ac35e194eb8c98666431ac30a66c4daae15e605679390dea2e72d9199eb
SHA512fcf8a240df4de33c2515ee1f87d0bcfe0f01be36167686b15484a2a0b1e9ec281887c0589c673aace65bc113706a51f83beafbc496607c68be10bcf40c36024a
-
C:\Users\Admin\AppData\Roaming\odogwu98741.exeMD5
9c0421b87aa0703d72fe9b405938eecc
SHA140c2016e003fc0c1268251aba63bbcffd7658280
SHA2568b987ac35e194eb8c98666431ac30a66c4daae15e605679390dea2e72d9199eb
SHA512fcf8a240df4de33c2515ee1f87d0bcfe0f01be36167686b15484a2a0b1e9ec281887c0589c673aace65bc113706a51f83beafbc496607c68be10bcf40c36024a
-
C:\Users\Admin\AppData\Roaming\odogwu98741.exeMD5
9c0421b87aa0703d72fe9b405938eecc
SHA140c2016e003fc0c1268251aba63bbcffd7658280
SHA2568b987ac35e194eb8c98666431ac30a66c4daae15e605679390dea2e72d9199eb
SHA512fcf8a240df4de33c2515ee1f87d0bcfe0f01be36167686b15484a2a0b1e9ec281887c0589c673aace65bc113706a51f83beafbc496607c68be10bcf40c36024a
-
\Users\Admin\AppData\Roaming\odogwu98741.exeMD5
9c0421b87aa0703d72fe9b405938eecc
SHA140c2016e003fc0c1268251aba63bbcffd7658280
SHA2568b987ac35e194eb8c98666431ac30a66c4daae15e605679390dea2e72d9199eb
SHA512fcf8a240df4de33c2515ee1f87d0bcfe0f01be36167686b15484a2a0b1e9ec281887c0589c673aace65bc113706a51f83beafbc496607c68be10bcf40c36024a
-
memory/1552-73-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmpFilesize
8KB
-
memory/1552-72-0x0000000000000000-mapping.dmp
-
memory/1644-77-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1644-78-0x000000000043762E-mapping.dmp
-
memory/1644-82-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB
-
memory/1644-80-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1692-75-0x00000000053B0000-0x000000000542A000-memory.dmpFilesize
488KB
-
memory/1692-74-0x00000000004E0000-0x000000000050D000-memory.dmpFilesize
180KB
-
memory/1692-66-0x0000000000000000-mapping.dmp
-
memory/1692-76-0x0000000000610000-0x0000000000649000-memory.dmpFilesize
228KB
-
memory/1692-71-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/1692-69-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/1832-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1832-60-0x0000000072FA1000-0x0000000072FA4000-memory.dmpFilesize
12KB
-
memory/1832-63-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1832-61-0x0000000070A21000-0x0000000070A23000-memory.dmpFilesize
8KB
-
memory/1832-83-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB