Overview

overview

10

Static

static

10

stocks.docx

windows7-x64

10

stocks.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2023 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    stocks.docx

  • Size

    10KB

  • MD5

    0f341a25ed45ee0c5a13c99ea7194081

  • SHA1

    91f808e6a287071eaf9c4634a3c24cef4f9e9e59

  • SHA256

    f42dbc7d64913299d020364ed9c3278e9fab9a140688754bc96b869c03ad61af

  • SHA512

    2609da36fcb55ba3f87a297234648546d87627310c9b0ae14971be4b604018a0aa5eb8ecc128cce08a0cf0447ffa7e05edd901d2ffe1dcba702bfdf5a0082490

  • SSDEEP

    192:ScIMmtPGT7G/bIwXOVOOE8O5SEzBC4vNq6sM63gG:SPXuT+xXOVOS8hlqHL

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    002@frem-tr.com
  • Password:
    jCXzqcP1 daniel 3116
  • Email To:
    002@frem-tr.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\stocks.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:980
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HkkBHVHcc.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1820
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HkkBHVHcc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2415.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:940
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1300

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Scheduled Task

    1
    T1053

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      1dfa41a19f70c697c156295884d87205

      SHA1

      b584ea4503fc7d43135e13a09c2aeaafb827ef30

      SHA256

      2fa3f1a79f2c6d966fa8056f20b6579c719762c4bbf977d2477e4b4194967ad7

      SHA512

      02067bece2a8b4850d82332594ec9c044d8a8d33740164d99fd6009a7c9f292799ae628561bd4a7f2c4688f2b339f0cc9782ac42ddbefc0b81006e5d9e8cbcfc

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F742ACA6-EB4A-4FAB-A23A-A23AE01AB753}.FSD
      Filesize

      128KB

      MD5

      be9680709cfe36ea5da7a3614518d147

      SHA1

      c6963c4e2dbec27357ad4447016eff522d36a2b2

      SHA256

      cbc3f72b18ccabac5c9bc5bb47a78fd069d1a17044a9df203936750ee7dbce04

      SHA512

      c297047f156c751c84df275669dc5deb4c27094b553302101a349f0df73ef8b8c863f9d43cedb9cac92639fda462b4868b3c810c0a71eaafced1c0dd058f7f0a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      44877fa87183197a6e0404807cc3cc6f

      SHA1

      d4397625849b8358c05cafa08aa79d8479889e21

      SHA256

      cb1755748631f16015bc633ba45b4902a829d097f5768660138ef37f85ab48a2

      SHA512

      2742e05a8200568469cfee3775b22600b70ed5bb1635295f8cb908faae83659309ecc8d43adfa96304d87baed75f6e684e5f33c569bc26993e997ba06b04c76f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{82E8907B-BB03-41A9-BFA0-0BE6D377429E}.FSD
      Filesize

      128KB

      MD5

      8ad8ada50e0fa69a17d9c28292c22736

      SHA1

      4e8be09cd0f6f3c273501bd0940c51579fac99d1

      SHA256

      d809f33f7a7c03f8f319c965358bb74125fc2c23285097668f6f1eb004546e5e

      SHA512

      4b3cb3ec26029278c018c4c5cef48615e4a544098d339fd7956f58e6a8474dd2ebab260a74f286c7f761525f4e903dc7aee0493284e2d949b4c066610e8fe942

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\########################[1].doc
      Filesize

      26KB

      MD5

      7e40adaf5188fac2c6604b08cffd76a4

      SHA1

      cc0739db0278d6e417011ce8e783df72f408bddc

      SHA256

      61728aaccccf4df223713f698e127b10a472fab867d54ed7f0f2bf65dfb36757

      SHA512

      28e314c94e54845baef144f7eecd1f99446cb38e657d95010717bae3c481a9407b07f7af016a1505a67e45d7d3e4673f38fc4dffba8c00ed20c9a7b369068302

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp2415.tmp
      Filesize

      1KB

      MD5

      18220f259fe369cf8fc4a5fc122b6cfc

      SHA1

      327268669e48822968c078a5a844fc1cdce9a677

      SHA256

      487b4c1f8be6b168e46b5924fc6ba3c74d556d39c08742d33b4b6d540fff7510

      SHA512

      49610aebd791f5f947c7f7c592203d9b5c01aae50f9aa9b7ccc75dfad60cf4aaa203792dc80b17608279b4c6c72d400884b4f3c99eddecf0387cacf3d762f573

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\{35921852-4ED9-4822-8E1B-F7A078B85428}
      Filesize

      128KB

      MD5

      0b26f57cb1d8919e7a4d2242454dd286

      SHA1

      9ccfa24dd975ce99411af30591a761b8abe2d1ee

      SHA256

      29b160340efa4f240e96718054f97fc4560b2c4746ed40915c5a5f117249f465

      SHA512

      e9e3eb128741b364710b2b38d117e4b70ce479992d6de0c304adb96e0eca4fc45085702998d94a4b263460390a53a50176ab486028084f1a78723f14a4195382

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      644KB

      MD5

      de68c494a13e2ab0ddc0f48ace524955

      SHA1

      ab4ca591910352445bdb75465b8829ee7890f34b

      SHA256

      6c32a9663a01524537e1b37c2c329c5bb46a0187dc5eeb03a849bf521f7c66d7

      SHA512

      d9c278fc53da3c75ac898ce6b675c9af817d568a377f8f6b44991c520a507945efc5d090d03d6d69ba141876fb5c8e386f18e5f5e4b08d5d843a286ed95f8e68

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      644KB

      MD5

      de68c494a13e2ab0ddc0f48ace524955

      SHA1

      ab4ca591910352445bdb75465b8829ee7890f34b

      SHA256

      6c32a9663a01524537e1b37c2c329c5bb46a0187dc5eeb03a849bf521f7c66d7

      SHA512

      d9c278fc53da3c75ac898ce6b675c9af817d568a377f8f6b44991c520a507945efc5d090d03d6d69ba141876fb5c8e386f18e5f5e4b08d5d843a286ed95f8e68

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      644KB

      MD5

      de68c494a13e2ab0ddc0f48ace524955

      SHA1

      ab4ca591910352445bdb75465b8829ee7890f34b

      SHA256

      6c32a9663a01524537e1b37c2c329c5bb46a0187dc5eeb03a849bf521f7c66d7

      SHA512

      d9c278fc53da3c75ac898ce6b675c9af817d568a377f8f6b44991c520a507945efc5d090d03d6d69ba141876fb5c8e386f18e5f5e4b08d5d843a286ed95f8e68

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      644KB

      MD5

      de68c494a13e2ab0ddc0f48ace524955

      SHA1

      ab4ca591910352445bdb75465b8829ee7890f34b

      SHA256

      6c32a9663a01524537e1b37c2c329c5bb46a0187dc5eeb03a849bf521f7c66d7

      SHA512

      d9c278fc53da3c75ac898ce6b675c9af817d568a377f8f6b44991c520a507945efc5d090d03d6d69ba141876fb5c8e386f18e5f5e4b08d5d843a286ed95f8e68

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      644KB

      MD5

      de68c494a13e2ab0ddc0f48ace524955

      SHA1

      ab4ca591910352445bdb75465b8829ee7890f34b

      SHA256

      6c32a9663a01524537e1b37c2c329c5bb46a0187dc5eeb03a849bf521f7c66d7

      SHA512

      d9c278fc53da3c75ac898ce6b675c9af817d568a377f8f6b44991c520a507945efc5d090d03d6d69ba141876fb5c8e386f18e5f5e4b08d5d843a286ed95f8e68

      Download Submit
    • memory/916-150-0x0000000004DE0000-0x0000000004E20000-memory.dmp
      Filesize

      256KB

      Download
    • memory/916-149-0x0000000000440000-0x0000000000454000-memory.dmp
      Filesize

      80KB

      Download
    • memory/916-142-0x0000000001140000-0x00000000011E8000-memory.dmp
      Filesize

      672KB

      Download
    • memory/916-151-0x0000000000460000-0x000000000046C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/916-152-0x00000000010D0000-0x000000000113C000-memory.dmp
      Filesize

      432KB

      Download
    • memory/916-144-0x0000000004DE0000-0x0000000004E20000-memory.dmp
      Filesize

      256KB

      Download
    • memory/916-160-0x0000000000E40000-0x0000000000E72000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1300-163-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1300-162-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1300-161-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1300-164-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1300-169-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1300-166-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1300-165-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1300-171-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1540-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1820-172-0x0000000002580000-0x00000000025C0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1820-173-0x0000000002580000-0x00000000025C0000-memory.dmp
      Filesize

      256KB

      Download