Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
01-12-2023 19:08
General
-
Target
d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4.docx
-
Size
16KB
-
MD5
c6d1103403667550402d92301a0dbe62
-
SHA1
106f1b0488f98debf7599f602278185ffebd7a11
-
SHA256
d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4
-
SHA512
9094dcb1148347c39a240d033f5b78fc92ca072b21eb53c40954323d7e00a686b5ed145dac13ef51af5334f98bfc27913213ad250c697e31fae29abdda0fd96a
-
SSDEEP
384:ayXPNKVWWs8PL8wi4OEwH8TIbE91r2fRSJY5vim/Y1nz3:acP+55P3DOqnYJMMv//Y1nb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.royalwealth.space - Port:
587 - Username:
[email protected] - Password:
sQxM4AdAZ5kY7As - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d037a0f1a4ce8bd5b3ef41f8f1efbf445bba229cd61502d0f47e4078f7d64fb4.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wealth68399.exe"C:\Users\Admin\AppData\Roaming\wealth68399.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wealth68399.exe"C:\Users\Admin\AppData\Roaming\wealth68399.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5f70f0890502a27cbe7b7856d40b76a99
SHA184c969420e4909e7fd8d337465f0fbafd94d0ecd
SHA25664f5b31c3fa09cf0e4f9f9987b4e17a1db1b9f8d4c8e8ef9346cdab3eee5462f
SHA5127ea5270bf9466ce410c3a7a8d6ccb5d786672a80e203b6969cd6dd3b460aa39359fa5fb6bbcb6a605a77993cae0a4c4865419e32b9caba2d97634ba83fc521b3
-
Filesize
128KB
MD55e31fce83e308edb8c47ccaa85cc0843
SHA129302dfd1640e13b36ca49393432c3af641d0a8c
SHA256eca00e2b8a4afe7ca0ac0ac20817b4e13687000bf91ec55414dcae34ee071711
SHA512c9b65543ceeb69d1fb381ca2e4fb60a0f0391788d8fc543581bd551dbaf3e158829e93a03bb53361e8653b731d801a0a5a690c4f83bf77277643092c4068edbe
-
Filesize
128KB
MD556e5f2c495d4cc7c76115d48799a9876
SHA15142c36a71819e19a8f7a523ba859aa0a46d8424
SHA2567b1aafe1054986a4f8c4482f19f3a5db47de83896bea275803ff616fddf9b575
SHA512c30fdeb2f60f31cdb7accd15cb8a62195393083f8aabbfd634771c7275bc63dc147a50dcfe8ff80f7540e7e4ab49652fb8c0686ba727fecee5ab3802dc3e1339
-
Filesize
128KB
MD5d0f65d00dcf6bf445af6a5c15cebf133
SHA1e706991355fcc39affb8bad3745c6ee0d0cf0684
SHA256c834f306fcb851919b47dad35a8ae9f3e6d8791ccd8a67af81c4d0e788e21d11
SHA5124aca6e79d9a2e5bfc2e60edcfc36f7a74aaff97682aa078635e44ce58ce0edb079a017ab09afd4699eb37efa7a2884a0c1de5d722c7e4ab35d62559e0d409efb
-
Filesize
141KB
MD55bb5392ff71e2d8ae392f6149170a525
SHA1433d9215f077d6b25da8b2495144e7cea1e094d7
SHA256d621391686684860304b22b66c5acea407a93a6dc10b0373b26b0ddc46170b2c
SHA512a01541f80e368480a74df787ebb24999e961f940b7e8294b7484967128f78ddc43180b5cf86051ff4e1535871109b9743c00eafbe39f3c06e000a5e16ff6e24b
-
Filesize
128KB
MD5aa6048d2b068059f9de09b2f99870bdb
SHA197ce795793233c225f27fc5580d1c4890c269b61
SHA25638f94e59945f4648797df4deb945b25a1646b735af0695087dd71af6a14ba2f4
SHA5124cfde962d08eb52110ab0522f3a0601eb63503443d34e28aeb2b00b722dbfd48ba25fb889780d12623012876f0f9a834fee88f51fccc774d19c44a83b208c8c7
-
Filesize
20KB
MD5cb14b3020bc58869be8af8c619fdb1ae
SHA1b2da194cccda2f55ee935eab45ae98d54ceadab3
SHA25687f6aca6ce4677e31d8a546f0f8742e8953be11b31992f35d6c0418385883a42
SHA5125668db61dc9b5c2fa77a30db6fca3cab063a3d54bd0f4085612208ed6c1ee7b6cf3b576fee989eed51539f2578cc0bcb6b0f74821d4d9545b9125230f146a6fc
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
716KB
MD5da1d7932229b720f188bb1586de920db
SHA182028dd1c32fafee8ea4351a108b2d1f29cedd33
SHA2565ed580a1aa1981a142791f7f00f62dcb95643e30188ca4852391c34ce658060d
SHA5126cfd7bcc452055620d7ca1c759cd2b2a5b28f2cf50f5663157bed403eeba62b994408b5846adcb82b58d2a843692b3dea83de7a8e20c31fab03a4099b48c999c
-
Filesize
716KB
MD5da1d7932229b720f188bb1586de920db
SHA182028dd1c32fafee8ea4351a108b2d1f29cedd33
SHA2565ed580a1aa1981a142791f7f00f62dcb95643e30188ca4852391c34ce658060d
SHA5126cfd7bcc452055620d7ca1c759cd2b2a5b28f2cf50f5663157bed403eeba62b994408b5846adcb82b58d2a843692b3dea83de7a8e20c31fab03a4099b48c999c
-
Filesize
716KB
MD5da1d7932229b720f188bb1586de920db
SHA182028dd1c32fafee8ea4351a108b2d1f29cedd33
SHA2565ed580a1aa1981a142791f7f00f62dcb95643e30188ca4852391c34ce658060d
SHA5126cfd7bcc452055620d7ca1c759cd2b2a5b28f2cf50f5663157bed403eeba62b994408b5846adcb82b58d2a843692b3dea83de7a8e20c31fab03a4099b48c999c
-
Filesize
716KB
MD5da1d7932229b720f188bb1586de920db
SHA182028dd1c32fafee8ea4351a108b2d1f29cedd33
SHA2565ed580a1aa1981a142791f7f00f62dcb95643e30188ca4852391c34ce658060d
SHA5126cfd7bcc452055620d7ca1c759cd2b2a5b28f2cf50f5663157bed403eeba62b994408b5846adcb82b58d2a843692b3dea83de7a8e20c31fab03a4099b48c999c
-
Filesize
716KB
MD5da1d7932229b720f188bb1586de920db
SHA182028dd1c32fafee8ea4351a108b2d1f29cedd33
SHA2565ed580a1aa1981a142791f7f00f62dcb95643e30188ca4852391c34ce658060d
SHA5126cfd7bcc452055620d7ca1c759cd2b2a5b28f2cf50f5663157bed403eeba62b994408b5846adcb82b58d2a843692b3dea83de7a8e20c31fab03a4099b48c999c
-
Filesize
488KB
-
Filesize
744KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
88KB
-
Filesize
6.9MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB