Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 17:13
Behavioral task
behavioral1
Sample
ORDER-221202.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ORDER-221202.xls
Resource
win10v2004-20220901-en
General
-
Target
ORDER-221202.xls
-
Size
38KB
-
MD5
f79fc28e4f8f45673f7cd89ebfdfd8f2
-
SHA1
c42880c461fd52ac284659592b00979bfb2b4e26
-
SHA256
7848297de8cb3a65afb8413171818248db22bc4f47f57aa0f4aa5effda1ca94e
-
SHA512
5c38b393d9b358e91febb56f540c52f14ff991a8bed5b909e8c0b71814d467f3ea81084835774f109168f05263890339d03f5311ffa2e22d8b2b2e9a0f7ce557
-
SSDEEP
768:gqDZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAKg4xau+yPRBUVOPh6k/vZiGBFDAEp:9DZ+RwPONXoRjDhIcp0fDlaGGx+cL26V
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
zahimrahim18@gmail.com - Password:
pifgweijlylkellk
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
zahimrahim18@gmail.com - Password:
pifgweijlylkellk
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
office.exeoffice.exepid process 1592 office.exe 4312 office.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
office.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation office.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
office.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 office.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 office.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 office.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
office.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad = "\"C:\\Users\\Admin\\AppData\\Roaming\\notepad.exe\"" office.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
office.exedescription pid process target process PID 1592 set thread context of 4312 1592 office.exe office.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2684 ipconfig.exe 3640 ipconfig.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3828 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeoffice.exepid process 2704 powershell.exe 2704 powershell.exe 4312 office.exe 4312 office.exe 4312 office.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeoffice.exeoffice.exedescription pid process Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 1592 office.exe Token: SeDebugPrivilege 4312 office.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEoffice.exepid process 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 3828 EXCEL.EXE 4312 office.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
office.execmd.execmd.exedescription pid process target process PID 1592 wrote to memory of 2704 1592 office.exe powershell.exe PID 1592 wrote to memory of 2704 1592 office.exe powershell.exe PID 1592 wrote to memory of 2704 1592 office.exe powershell.exe PID 1592 wrote to memory of 4756 1592 office.exe cmd.exe PID 1592 wrote to memory of 4756 1592 office.exe cmd.exe PID 1592 wrote to memory of 4756 1592 office.exe cmd.exe PID 4756 wrote to memory of 3640 4756 cmd.exe ipconfig.exe PID 4756 wrote to memory of 3640 4756 cmd.exe ipconfig.exe PID 4756 wrote to memory of 3640 4756 cmd.exe ipconfig.exe PID 1592 wrote to memory of 4396 1592 office.exe cmd.exe PID 1592 wrote to memory of 4396 1592 office.exe cmd.exe PID 1592 wrote to memory of 4396 1592 office.exe cmd.exe PID 4396 wrote to memory of 2684 4396 cmd.exe ipconfig.exe PID 4396 wrote to memory of 2684 4396 cmd.exe ipconfig.exe PID 4396 wrote to memory of 2684 4396 cmd.exe ipconfig.exe PID 1592 wrote to memory of 4312 1592 office.exe office.exe PID 1592 wrote to memory of 4312 1592 office.exe office.exe PID 1592 wrote to memory of 4312 1592 office.exe office.exe PID 1592 wrote to memory of 4312 1592 office.exe office.exe PID 1592 wrote to memory of 4312 1592 office.exe office.exe PID 1592 wrote to memory of 4312 1592 office.exe office.exe PID 1592 wrote to memory of 4312 1592 office.exe office.exe PID 1592 wrote to memory of 4312 1592 office.exe office.exe -
outlook_office_path 1 IoCs
Processes:
office.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 office.exe -
outlook_win_path 1 IoCs
Processes:
office.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 office.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ORDER-221202.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\office.exeC:\Users\Admin\AppData\Local\Temp\office.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-Date2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig/release2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig/renew2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
-
C:\Users\Admin\AppData\Local\Temp\office.exeC:\Users\Admin\AppData\Local\Temp\office.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\office.exe.logFilesize
1KB
MD5dbc0e9f71594bccf1c4122b61d25ed9d
SHA1c5450e16633c5bfc8bfd90443605e879ab635e92
SHA256e8f8a387f68e77533f6b0a967f2816265e017aa14b9064d656deda9c6034de30
SHA512c67751eea29097a265f4e501f93cc5a38516681c7e575c3a0772dcec75b02b9cb0a7367c077503c2360e61370d911fb003e28b25fc1163e98f808546bdb26de6
-
C:\Users\Admin\AppData\Local\Temp\office.exeFilesize
2.1MB
MD5ac218915a4631cb36a1674880cf8e97b
SHA1daaae1e4baa600e4f39f86b194c6b48ba6bb1cc6
SHA2561d0df1a32a2668c35c848250b8c7809fb571454e26d75437942c67ae2d3f3f12
SHA5128051f251409b79471ccc9a83ce6f26a6bc410e9fdccfb6036239fe698518b2e7353524fb83a6e0e53816c21171225bc928611ea4e72d1fb6559ea1104c386fa9
-
C:\Users\Admin\AppData\Local\Temp\office.exeFilesize
2.1MB
MD5ac218915a4631cb36a1674880cf8e97b
SHA1daaae1e4baa600e4f39f86b194c6b48ba6bb1cc6
SHA2561d0df1a32a2668c35c848250b8c7809fb571454e26d75437942c67ae2d3f3f12
SHA5128051f251409b79471ccc9a83ce6f26a6bc410e9fdccfb6036239fe698518b2e7353524fb83a6e0e53816c21171225bc928611ea4e72d1fb6559ea1104c386fa9
-
C:\Users\Admin\AppData\Local\Temp\office.exeFilesize
2.1MB
MD5ac218915a4631cb36a1674880cf8e97b
SHA1daaae1e4baa600e4f39f86b194c6b48ba6bb1cc6
SHA2561d0df1a32a2668c35c848250b8c7809fb571454e26d75437942c67ae2d3f3f12
SHA5128051f251409b79471ccc9a83ce6f26a6bc410e9fdccfb6036239fe698518b2e7353524fb83a6e0e53816c21171225bc928611ea4e72d1fb6559ea1104c386fa9
-
memory/1592-141-0x0000000000990000-0x0000000000BA8000-memory.dmpFilesize
2.1MB
-
memory/1592-142-0x0000000005C70000-0x0000000006214000-memory.dmpFilesize
5.6MB
-
memory/1592-150-0x0000000006260000-0x000000000626A000-memory.dmpFilesize
40KB
-
memory/1592-145-0x00000000062C0000-0x0000000006352000-memory.dmpFilesize
584KB
-
memory/2684-157-0x0000000000000000-mapping.dmp
-
memory/2704-151-0x0000000006990000-0x00000000069AE000-memory.dmpFilesize
120KB
-
memory/2704-152-0x00000000082A0000-0x000000000891A000-memory.dmpFilesize
6.5MB
-
memory/2704-143-0x0000000000000000-mapping.dmp
-
memory/2704-153-0x0000000006E60000-0x0000000006E7A000-memory.dmpFilesize
104KB
-
memory/2704-144-0x0000000003070000-0x00000000030A6000-memory.dmpFilesize
216KB
-
memory/2704-146-0x0000000005B60000-0x0000000006188000-memory.dmpFilesize
6.2MB
-
memory/2704-147-0x00000000058C0000-0x00000000058E2000-memory.dmpFilesize
136KB
-
memory/2704-148-0x0000000005A60000-0x0000000005AC6000-memory.dmpFilesize
408KB
-
memory/2704-149-0x0000000006190000-0x00000000061F6000-memory.dmpFilesize
408KB
-
memory/3640-155-0x0000000000000000-mapping.dmp
-
memory/3828-136-0x00007FF96E950000-0x00007FF96E960000-memory.dmpFilesize
64KB
-
memory/3828-137-0x00007FF96C4B0000-0x00007FF96C4C0000-memory.dmpFilesize
64KB
-
memory/3828-165-0x00007FF96E950000-0x00007FF96E960000-memory.dmpFilesize
64KB
-
memory/3828-135-0x00007FF96E950000-0x00007FF96E960000-memory.dmpFilesize
64KB
-
memory/3828-168-0x00007FF96E950000-0x00007FF96E960000-memory.dmpFilesize
64KB
-
memory/3828-167-0x00007FF96E950000-0x00007FF96E960000-memory.dmpFilesize
64KB
-
memory/3828-138-0x00007FF96C4B0000-0x00007FF96C4C0000-memory.dmpFilesize
64KB
-
memory/3828-166-0x00007FF96E950000-0x00007FF96E960000-memory.dmpFilesize
64KB
-
memory/3828-134-0x00007FF96E950000-0x00007FF96E960000-memory.dmpFilesize
64KB
-
memory/3828-132-0x00007FF96E950000-0x00007FF96E960000-memory.dmpFilesize
64KB
-
memory/3828-133-0x00007FF96E950000-0x00007FF96E960000-memory.dmpFilesize
64KB
-
memory/4312-158-0x0000000000000000-mapping.dmp
-
memory/4312-163-0x0000000006780000-0x00000000067D0000-memory.dmpFilesize
320KB
-
memory/4312-162-0x0000000005670000-0x000000000570C000-memory.dmpFilesize
624KB
-
memory/4312-159-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4396-156-0x0000000000000000-mapping.dmp
-
memory/4756-154-0x0000000000000000-mapping.dmp