Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 19:38
Static task
static1
Behavioral task
behavioral1
Sample
pay in receipt.doc.rtf
Resource
win7v20210410
Behavioral task
behavioral2
Sample
pay in receipt.doc.rtf
Resource
win10v20210408
General
-
Target
pay in receipt.doc.rtf
-
Size
87KB
-
MD5
10c55ac6b300e7e64a787ecd1ee95de5
-
SHA1
d958db330fc03846193371c52ec959ef3f310705
-
SHA256
517eb00d2c56a5f1f083dcf451664a95cd3732ba4335792dddacb0ed12111613
-
SHA512
aede5abf1e74c0215ba78fb3173629c2defe576a99d6461589d0f388a0456b5d5a2019c9621f44ca3df7e83ebe7e48b4ddb65cf8f397bb990f1a3e7b440a4eca
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sodag-agricole.com - Port:
587 - Username:
sodag@sodag-agricole.com - Password:
agricole**sodag+1990
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/684-77-0x00000000004374FE-mapping.dmp family_agenttesla behavioral1/memory/684-76-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/684-79-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/896-71-0x0000000000900000-0x000000000090B000-memory.dmp CustAttr -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1308 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
wealthhd259642.exewealthhd259642.exepid process 896 wealthhd259642.exe 684 wealthhd259642.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1308 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wealthhd259642.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\xepul = "C:\\Users\\Admin\\AppData\\Roaming\\xepul\\xepul.exe" wealthhd259642.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wealthhd259642.exedescription pid process target process PID 896 set thread context of 684 896 wealthhd259642.exe wealthhd259642.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1048 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
wealthhd259642.exepid process 684 wealthhd259642.exe 684 wealthhd259642.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wealthhd259642.exedescription pid process Token: SeDebugPrivilege 684 wealthhd259642.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEwealthhd259642.exepid process 1048 WINWORD.EXE 1048 WINWORD.EXE 684 wealthhd259642.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEwealthhd259642.exedescription pid process target process PID 1308 wrote to memory of 896 1308 EQNEDT32.EXE wealthhd259642.exe PID 1308 wrote to memory of 896 1308 EQNEDT32.EXE wealthhd259642.exe PID 1308 wrote to memory of 896 1308 EQNEDT32.EXE wealthhd259642.exe PID 1308 wrote to memory of 896 1308 EQNEDT32.EXE wealthhd259642.exe PID 1048 wrote to memory of 1424 1048 WINWORD.EXE splwow64.exe PID 1048 wrote to memory of 1424 1048 WINWORD.EXE splwow64.exe PID 1048 wrote to memory of 1424 1048 WINWORD.EXE splwow64.exe PID 1048 wrote to memory of 1424 1048 WINWORD.EXE splwow64.exe PID 896 wrote to memory of 684 896 wealthhd259642.exe wealthhd259642.exe PID 896 wrote to memory of 684 896 wealthhd259642.exe wealthhd259642.exe PID 896 wrote to memory of 684 896 wealthhd259642.exe wealthhd259642.exe PID 896 wrote to memory of 684 896 wealthhd259642.exe wealthhd259642.exe PID 896 wrote to memory of 684 896 wealthhd259642.exe wealthhd259642.exe PID 896 wrote to memory of 684 896 wealthhd259642.exe wealthhd259642.exe PID 896 wrote to memory of 684 896 wealthhd259642.exe wealthhd259642.exe PID 896 wrote to memory of 684 896 wealthhd259642.exe wealthhd259642.exe PID 896 wrote to memory of 684 896 wealthhd259642.exe wealthhd259642.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\pay in receipt.doc.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wealthhd259642.exe"C:\Users\Admin\AppData\Roaming\wealthhd259642.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wealthhd259642.exe"C:\Users\Admin\AppData\Roaming\wealthhd259642.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wealthhd259642.exeMD5
0714585676ea049f1a14f896764eff6c
SHA1e958bc61293fb67c3543abfa2bc8e6382419b7e3
SHA256640be6f81d11c620516ffa238f5bd69490074acc89286dbbb1f8a1e2727ecff4
SHA51226b15c1240e8f77bd3d6b953812c1a121c6ea6ce108d4e924bf496c6449929540764f45d0e9d86846aaa624c34d60c748d2f995dcdf5bd43d3146e6064bb13f4
-
C:\Users\Admin\AppData\Roaming\wealthhd259642.exeMD5
0714585676ea049f1a14f896764eff6c
SHA1e958bc61293fb67c3543abfa2bc8e6382419b7e3
SHA256640be6f81d11c620516ffa238f5bd69490074acc89286dbbb1f8a1e2727ecff4
SHA51226b15c1240e8f77bd3d6b953812c1a121c6ea6ce108d4e924bf496c6449929540764f45d0e9d86846aaa624c34d60c748d2f995dcdf5bd43d3146e6064bb13f4
-
C:\Users\Admin\AppData\Roaming\wealthhd259642.exeMD5
0714585676ea049f1a14f896764eff6c
SHA1e958bc61293fb67c3543abfa2bc8e6382419b7e3
SHA256640be6f81d11c620516ffa238f5bd69490074acc89286dbbb1f8a1e2727ecff4
SHA51226b15c1240e8f77bd3d6b953812c1a121c6ea6ce108d4e924bf496c6449929540764f45d0e9d86846aaa624c34d60c748d2f995dcdf5bd43d3146e6064bb13f4
-
\Users\Admin\AppData\Roaming\wealthhd259642.exeMD5
0714585676ea049f1a14f896764eff6c
SHA1e958bc61293fb67c3543abfa2bc8e6382419b7e3
SHA256640be6f81d11c620516ffa238f5bd69490074acc89286dbbb1f8a1e2727ecff4
SHA51226b15c1240e8f77bd3d6b953812c1a121c6ea6ce108d4e924bf496c6449929540764f45d0e9d86846aaa624c34d60c748d2f995dcdf5bd43d3146e6064bb13f4
-
memory/684-77-0x00000000004374FE-mapping.dmp
-
memory/684-83-0x0000000000601000-0x0000000000602000-memory.dmpFilesize
4KB
-
memory/684-81-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/684-79-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/684-76-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/896-65-0x0000000000000000-mapping.dmp
-
memory/896-71-0x0000000000900000-0x000000000090B000-memory.dmpFilesize
44KB
-
memory/896-74-0x0000000005260000-0x00000000052E2000-memory.dmpFilesize
520KB
-
memory/896-75-0x00000000048C0000-0x00000000048FD000-memory.dmpFilesize
244KB
-
memory/896-70-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/896-68-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/1048-59-0x00000000724A1000-0x00000000724A4000-memory.dmpFilesize
12KB
-
memory/1048-62-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/1048-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1048-82-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1048-60-0x000000006FF21000-0x000000006FF23000-memory.dmpFilesize
8KB
-
memory/1424-72-0x0000000000000000-mapping.dmp
-
memory/1424-73-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmpFilesize
8KB