Analysis
-
max time kernel
135s -
max time network
57s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 12:32
Static task
static1
Behavioral task
behavioral1
Sample
2c15cd1a06ff57fa34b1f77d9e2665455b7eaf305400a87d200cdf067e6bda41.rtf
Resource
win7v20210408
General
-
Target
2c15cd1a06ff57fa34b1f77d9e2665455b7eaf305400a87d200cdf067e6bda41.rtf
-
Size
86KB
-
MD5
19c920598bc6c4939ea484862fca2364
-
SHA1
6b27fec9c9c5e147a63a66aee37f35814947feb1
-
SHA256
2c15cd1a06ff57fa34b1f77d9e2665455b7eaf305400a87d200cdf067e6bda41
-
SHA512
25eee7c2478e00a99870b7138dc8e93e8c427fc76d46d8d12ad50da4927cfea641edb5575e8d91928e5e9755666ef41d155ab42221381dcb364ff3c91ecf6a28
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sodag-agricole.com - Port:
587 - Username:
sodag@sodag-agricole.com - Password:
agricole**sodag+1990
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1576-77-0x00000000004374FE-mapping.dmp family_agenttesla behavioral1/memory/1576-76-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1576-79-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1704 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
wealthre874312.exewealthre874312.exepid process 1500 wealthre874312.exe 1576 wealthre874312.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1704 EQNEDT32.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wealthre874312.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\xepul = "C:\\Users\\Admin\\AppData\\Roaming\\xepul\\xepul.exe" wealthre874312.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wealthre874312.exedescription pid process target process PID 1500 set thread context of 1576 1500 wealthre874312.exe wealthre874312.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1100 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
wealthre874312.exepid process 1576 wealthre874312.exe 1576 wealthre874312.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wealthre874312.exewealthre874312.exedescription pid process Token: SeDebugPrivilege 1500 wealthre874312.exe Token: SeDebugPrivilege 1576 wealthre874312.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1100 WINWORD.EXE 1100 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEwealthre874312.exedescription pid process target process PID 1704 wrote to memory of 1500 1704 EQNEDT32.EXE wealthre874312.exe PID 1704 wrote to memory of 1500 1704 EQNEDT32.EXE wealthre874312.exe PID 1704 wrote to memory of 1500 1704 EQNEDT32.EXE wealthre874312.exe PID 1704 wrote to memory of 1500 1704 EQNEDT32.EXE wealthre874312.exe PID 1100 wrote to memory of 920 1100 WINWORD.EXE splwow64.exe PID 1100 wrote to memory of 920 1100 WINWORD.EXE splwow64.exe PID 1100 wrote to memory of 920 1100 WINWORD.EXE splwow64.exe PID 1100 wrote to memory of 920 1100 WINWORD.EXE splwow64.exe PID 1500 wrote to memory of 1576 1500 wealthre874312.exe wealthre874312.exe PID 1500 wrote to memory of 1576 1500 wealthre874312.exe wealthre874312.exe PID 1500 wrote to memory of 1576 1500 wealthre874312.exe wealthre874312.exe PID 1500 wrote to memory of 1576 1500 wealthre874312.exe wealthre874312.exe PID 1500 wrote to memory of 1576 1500 wealthre874312.exe wealthre874312.exe PID 1500 wrote to memory of 1576 1500 wealthre874312.exe wealthre874312.exe PID 1500 wrote to memory of 1576 1500 wealthre874312.exe wealthre874312.exe PID 1500 wrote to memory of 1576 1500 wealthre874312.exe wealthre874312.exe PID 1500 wrote to memory of 1576 1500 wealthre874312.exe wealthre874312.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2c15cd1a06ff57fa34b1f77d9e2665455b7eaf305400a87d200cdf067e6bda41.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wealthre874312.exe"C:\Users\Admin\AppData\Roaming\wealthre874312.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wealthre874312.exe"C:\Users\Admin\AppData\Roaming\wealthre874312.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wealthre874312.exeMD5
60d92de4c9490fc49ab899cad9bb3efb
SHA1c8b3aaa04c2790d283db59b834712aef8cb17026
SHA256c1aa3996fb100371e8d443417f1c90f959306af345dc4436d5382e49bb205ac7
SHA512c986703bc1fd4130c3a8b4b4d8f16d998b390c0b04e628f7e9d6d8c3f378be9177de71457dd2ee09f4657d3b124e9b2b295a6f40927bc2f8692adacc42ff0b97
-
C:\Users\Admin\AppData\Roaming\wealthre874312.exeMD5
60d92de4c9490fc49ab899cad9bb3efb
SHA1c8b3aaa04c2790d283db59b834712aef8cb17026
SHA256c1aa3996fb100371e8d443417f1c90f959306af345dc4436d5382e49bb205ac7
SHA512c986703bc1fd4130c3a8b4b4d8f16d998b390c0b04e628f7e9d6d8c3f378be9177de71457dd2ee09f4657d3b124e9b2b295a6f40927bc2f8692adacc42ff0b97
-
C:\Users\Admin\AppData\Roaming\wealthre874312.exeMD5
60d92de4c9490fc49ab899cad9bb3efb
SHA1c8b3aaa04c2790d283db59b834712aef8cb17026
SHA256c1aa3996fb100371e8d443417f1c90f959306af345dc4436d5382e49bb205ac7
SHA512c986703bc1fd4130c3a8b4b4d8f16d998b390c0b04e628f7e9d6d8c3f378be9177de71457dd2ee09f4657d3b124e9b2b295a6f40927bc2f8692adacc42ff0b97
-
\Users\Admin\AppData\Roaming\wealthre874312.exeMD5
60d92de4c9490fc49ab899cad9bb3efb
SHA1c8b3aaa04c2790d283db59b834712aef8cb17026
SHA256c1aa3996fb100371e8d443417f1c90f959306af345dc4436d5382e49bb205ac7
SHA512c986703bc1fd4130c3a8b4b4d8f16d998b390c0b04e628f7e9d6d8c3f378be9177de71457dd2ee09f4657d3b124e9b2b295a6f40927bc2f8692adacc42ff0b97
-
memory/920-71-0x0000000000000000-mapping.dmp
-
memory/920-72-0x000007FEFC391000-0x000007FEFC393000-memory.dmpFilesize
8KB
-
memory/1100-59-0x0000000072E91000-0x0000000072E94000-memory.dmpFilesize
12KB
-
memory/1100-60-0x0000000070911000-0x0000000070913000-memory.dmpFilesize
8KB
-
memory/1100-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1100-62-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1500-68-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/1500-70-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/1500-73-0x0000000000870000-0x000000000089D000-memory.dmpFilesize
180KB
-
memory/1500-74-0x0000000005C90000-0x0000000005D07000-memory.dmpFilesize
476KB
-
memory/1500-75-0x00000000042C0000-0x00000000042F9000-memory.dmpFilesize
228KB
-
memory/1500-65-0x0000000000000000-mapping.dmp
-
memory/1576-77-0x00000000004374FE-mapping.dmp
-
memory/1576-76-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1576-79-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1576-81-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB