Overview

overview

10

Static

static

10

SOA FEB 5...6.docx

windows7-x64

10

SOA FEB 5...6.docx

windows10-2004-x64

5

Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2023 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA FEB 5400005716.docx

  • Size

    10KB

  • MD5

    90612ab017d9b62b0845de6b196a10f5

  • SHA1

    679287fd3b0389e47cced0fca528b3bb0bbe94c6

  • SHA256

    33a34f4bad59e1c90a3fa5f4239abf5f5f13080e7ec71c09cdf11088e9c5cd8c

  • SHA512

    ee6395170cf4187379df05f1beab7449af8e37109a3524b4f89f0dcadc1ecea1515c8e31847ac93711f82118b86403335bd0bc58cb848bc7461b724821d5fa28

  • SSDEEP

    192:ScIMmtP1aIG/bslPL++uOmlvzl+CVWBXJC0c325:SPXU/slT+LOQHkZC96

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.flexotechproducts.in
  • Port:
    587
  • Username:
    accounts1@flexotechproducts.in
  • Password:
    @Products$24
  • Email To:
    benard.rnuthuri@gmail.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SOA FEB 5400005716.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1524
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\keRXZQSqL.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1116
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keRXZQSqL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp122B.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:1336
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          PID:1688
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          PID:1000
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:1580

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Scheduled Task

    1
    T1053

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D6DA33E8-DA7A-4E83-ADAB-3EF919FD7A3D}.FSD
      Filesize

      128KB

      MD5

      f036cf37389f405f7082e75c9ff64630

      SHA1

      f83f506c4ebbc2339a740e0143eef499bca78cec

      SHA256

      25a8bcce677b7decaf238d481f52bd22f7b1896d70bc0509df9d2a5278741b8a

      SHA512

      c2a154ced1a82c66e116f2c4f8e1d118605919fc291f7bf9106e2e13231d16d21e60d4973a00de000748f9de580dde4010c94253447d948c8c269c4198ae5e04

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      49906bd301b40c26931e0bf33cdefac7

      SHA1

      722aa8498c0dde12d57b424d0577d615a21c0d37

      SHA256

      6696ff7eb51f5103643f5e729eeacb9fc0a1f4b8fc4746120577cb4ed0690db8

      SHA512

      96a680969757548461f7a4a07cec0a729cf3d2659e831e219cecd1cda4bea5fda8083acf941c8a4fbc479159ee99af61c1154bbe83e64bd4a93b339bea235eb3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\wu.......................wu[1].doc
      Filesize

      14KB

      MD5

      e8597e58b548398887143df2e686e75a

      SHA1

      2e2ae49625da9c486b33679c2b670d3ed91fe264

      SHA256

      ff8a98f618cc568b85dce1bed031b10686572fe0a2ebee71697d8e27c15a27ee

      SHA512

      550aa1272da29c7236a1d8a1c304b2d95fe19d35c88a5a59ce194bc60ad74c5946e6ec1df2faf13d3c6aefe3d3beab1996a559dbdeaa2bea514c23629a0ace02

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp122B.tmp
      Filesize

      1KB

      MD5

      06052b88dad5095817b7357c9f8f1827

      SHA1

      b9d05995cfabb273b940d1b3992c94766450a440

      SHA256

      c9e5921d169e3ee52d44583f65983153a15eaf3c123539e9f7332b6a0a835f3d

      SHA512

      3ab3c611aa553618b6ef92e53e3d5e2c608325fb272aa4904af8e3a01e17d1ab0f6e126e156b2914b2fe8ab14b789a0bc7d162c3b40326a9f3a1e33f26a4225e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\{7EDF5E37-1A7B-4E77-A5FB-1E19ADB82102}
      Filesize

      128KB

      MD5

      6cf9d7da23018e45553158fde9bab0ee

      SHA1

      588cab359ece2cda8f83861bccef0001310c1bb5

      SHA256

      3a100c25d954ab5860b1684eee7961d83a696895dffc85c31c670574badff6dd

      SHA512

      fe6e9cd2016872056be7eb82d05a413174efdf3eee515b7f8fa9f34ddc00d588790753c5ce75e04da01f91536c069dbcacbf872689303b46e2863499f4e68bbe

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      1.1MB

      MD5

      1fb0cd15b8150e5dfb87c8c78e679612

      SHA1

      c53df088adbdc3f46e6a740a6ef5a856b74d252d

      SHA256

      64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

      SHA512

      aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      1.1MB

      MD5

      1fb0cd15b8150e5dfb87c8c78e679612

      SHA1

      c53df088adbdc3f46e6a740a6ef5a856b74d252d

      SHA256

      64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

      SHA512

      aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      1.1MB

      MD5

      1fb0cd15b8150e5dfb87c8c78e679612

      SHA1

      c53df088adbdc3f46e6a740a6ef5a856b74d252d

      SHA256

      64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

      SHA512

      aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      1.1MB

      MD5

      1fb0cd15b8150e5dfb87c8c78e679612

      SHA1

      c53df088adbdc3f46e6a740a6ef5a856b74d252d

      SHA256

      64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

      SHA512

      aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      1.1MB

      MD5

      1fb0cd15b8150e5dfb87c8c78e679612

      SHA1

      c53df088adbdc3f46e6a740a6ef5a856b74d252d

      SHA256

      64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

      SHA512

      aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      1.1MB

      MD5

      1fb0cd15b8150e5dfb87c8c78e679612

      SHA1

      c53df088adbdc3f46e6a740a6ef5a856b74d252d

      SHA256

      64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

      SHA512

      aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      1.1MB

      MD5

      1fb0cd15b8150e5dfb87c8c78e679612

      SHA1

      c53df088adbdc3f46e6a740a6ef5a856b74d252d

      SHA256

      64419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0

      SHA512

      aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d

      Download Submit
    • memory/1116-175-0x0000000001CD0000-0x0000000001D10000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1116-176-0x0000000001CD0000-0x0000000001D10000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1204-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1580-168-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1580-174-0x0000000004FC0000-0x0000000005000000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1580-195-0x0000000004FC0000-0x0000000005000000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1580-167-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1580-166-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1580-165-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1580-164-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1580-163-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1580-173-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1580-171-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1640-143-0x0000000000A30000-0x0000000000A44000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1640-150-0x0000000004A70000-0x0000000004AB0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1640-151-0x0000000000A80000-0x0000000000A8C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1640-160-0x0000000005300000-0x0000000005332000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1640-142-0x0000000004A70000-0x0000000004AB0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1640-141-0x0000000000AB0000-0x0000000000BC8000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1640-152-0x00000000058F0000-0x000000000599C000-memory.dmp
      Filesize

      688KB

      Download