Analysis
-
max time kernel
63s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 06:08
Static task
static1
Behavioral task
behavioral1
Sample
DOCX.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOCX.exe
Resource
win10v2004-20220414-en
General
-
Target
DOCX.exe
-
Size
910KB
-
MD5
399616465c043be87b1448bdde5c3b20
-
SHA1
2f86f7263563942b23907e2c9868edcb6588fc1a
-
SHA256
85c50841a484f05259b3f8e02ed444c0403f605d33f9ee9b0afbceccadc73892
-
SHA512
62729924227b5418291c5e863c3984ab4995403e5a3ef294cda7a01a4b8c9c8f9398add57bd48e038ded99a5c95bdd5be60670befd4b4210a7246f2e696cb853
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
DANIEL3116
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
DANIEL3116
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DOCX.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation DOCX.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DOCX.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOCX.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOCX.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOCX.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DOCX.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HSpMzoJ = "C:\\Users\\Admin\\AppData\\Roaming\\HSpMzoJ\\HSpMzoJ.exe" DOCX.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOCX.exedescription pid process target process PID 4104 set thread context of 2464 4104 DOCX.exe DOCX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
DOCX.exepowershell.exeDOCX.exepid process 4104 DOCX.exe 4104 DOCX.exe 3684 powershell.exe 2464 DOCX.exe 2464 DOCX.exe 3684 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
DOCX.exepid process 2464 DOCX.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DOCX.exepowershell.exeDOCX.exedescription pid process Token: SeDebugPrivilege 4104 DOCX.exe Token: SeDebugPrivilege 3684 powershell.exe Token: SeDebugPrivilege 2464 DOCX.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DOCX.exepid process 2464 DOCX.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
DOCX.exedescription pid process target process PID 4104 wrote to memory of 3684 4104 DOCX.exe powershell.exe PID 4104 wrote to memory of 3684 4104 DOCX.exe powershell.exe PID 4104 wrote to memory of 3684 4104 DOCX.exe powershell.exe PID 4104 wrote to memory of 3484 4104 DOCX.exe schtasks.exe PID 4104 wrote to memory of 3484 4104 DOCX.exe schtasks.exe PID 4104 wrote to memory of 3484 4104 DOCX.exe schtasks.exe PID 4104 wrote to memory of 2464 4104 DOCX.exe DOCX.exe PID 4104 wrote to memory of 2464 4104 DOCX.exe DOCX.exe PID 4104 wrote to memory of 2464 4104 DOCX.exe DOCX.exe PID 4104 wrote to memory of 2464 4104 DOCX.exe DOCX.exe PID 4104 wrote to memory of 2464 4104 DOCX.exe DOCX.exe PID 4104 wrote to memory of 2464 4104 DOCX.exe DOCX.exe PID 4104 wrote to memory of 2464 4104 DOCX.exe DOCX.exe PID 4104 wrote to memory of 2464 4104 DOCX.exe DOCX.exe -
outlook_office_path 1 IoCs
Processes:
DOCX.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOCX.exe -
outlook_win_path 1 IoCs
Processes:
DOCX.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOCX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOCX.exe"C:\Users\Admin\AppData\Local\Temp\DOCX.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lZdwVCul.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lZdwVCul" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2376.tmp"2⤵
- Creates scheduled task(s)
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\DOCX.exe"C:\Users\Admin\AppData\Local\Temp\DOCX.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2464
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2376.tmpFilesize
1KB
MD50518562ee4071e89fa989ef014b4dfaa
SHA1ece334c2cba04dd51d4df2477b31819d095f0e4b
SHA2560b6ada8f680a4d95d43c6a24a86ce2869a686e85c3d22a89c8f5c228f7649e69
SHA51203d6abbab41372e139527f6aefb2bb7f59661b002739efc3afcfb288195e5970aa89b9ed9bd8ff5c03c9e5d1b1e70c7978ec81fc17b6220399fc1f2b0ca824ce
-
memory/2464-153-0x00000000064C0000-0x0000000006510000-memory.dmpFilesize
320KB
-
memory/2464-142-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2464-140-0x0000000000000000-mapping.dmp
-
memory/3484-137-0x0000000000000000-mapping.dmp
-
memory/3684-136-0x0000000000000000-mapping.dmp
-
memory/3684-151-0x0000000007BC0000-0x0000000007BCA000-memory.dmpFilesize
40KB
-
memory/3684-156-0x0000000007E70000-0x0000000007E78000-memory.dmpFilesize
32KB
-
memory/3684-138-0x0000000005280000-0x00000000052B6000-memory.dmpFilesize
216KB
-
memory/3684-155-0x0000000007E90000-0x0000000007EAA000-memory.dmpFilesize
104KB
-
memory/3684-141-0x0000000005960000-0x0000000005F88000-memory.dmpFilesize
6.2MB
-
memory/3684-154-0x0000000007D80000-0x0000000007D8E000-memory.dmpFilesize
56KB
-
memory/3684-152-0x0000000007DD0000-0x0000000007E66000-memory.dmpFilesize
600KB
-
memory/3684-143-0x00000000058A0000-0x00000000058C2000-memory.dmpFilesize
136KB
-
memory/3684-144-0x0000000006180000-0x00000000061E6000-memory.dmpFilesize
408KB
-
memory/3684-145-0x0000000006850000-0x000000000686E000-memory.dmpFilesize
120KB
-
memory/3684-146-0x00000000077F0000-0x0000000007822000-memory.dmpFilesize
200KB
-
memory/3684-147-0x0000000070D90000-0x0000000070DDC000-memory.dmpFilesize
304KB
-
memory/3684-148-0x0000000006DF0000-0x0000000006E0E000-memory.dmpFilesize
120KB
-
memory/3684-149-0x0000000008190000-0x000000000880A000-memory.dmpFilesize
6.5MB
-
memory/3684-150-0x0000000007B50000-0x0000000007B6A000-memory.dmpFilesize
104KB
-
memory/4104-130-0x0000000000440000-0x0000000000528000-memory.dmpFilesize
928KB
-
memory/4104-132-0x0000000004F00000-0x0000000004F92000-memory.dmpFilesize
584KB
-
memory/4104-131-0x00000000055E0000-0x0000000005B84000-memory.dmpFilesize
5.6MB
-
memory/4104-133-0x0000000004EE0000-0x0000000004EEA000-memory.dmpFilesize
40KB
-
memory/4104-134-0x0000000008AC0000-0x0000000008B5C000-memory.dmpFilesize
624KB
-
memory/4104-135-0x00000000094F0000-0x0000000009556000-memory.dmpFilesize
408KB