Analysis

  • max time kernel
    101s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 11:24

General

  • Target

    NO7367027738832_789257820.rtf

  • Size

    642KB

  • MD5

    b16595c7c02434cb4e95e46eaa864262

  • SHA1

    d9ed513e1cc6a3538c12fb404ff576c32028a3bd

  • SHA256

    3e1ba9d9fae253f1cebc7ddaafbc893f10cd8fd9b644e4b18f4e4f06f3cb62b0

  • SHA512

    9b362dab6d79482201b789eb12335f3a9cc0e30663e63cd40ff169084ec4284cf957914f40b5e15f75215e19194dc84c3a24462bc39383e79dc626dcb11a1e9e

  • SSDEEP

    6144:ewAYwAYwAg+bU29khgINRyJT8cai2+QurA0nI:n9

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NO7367027738832_789257820.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2704
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe
        "C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2856
        • C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe
          "C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      77b411cbab83744ca43bd3c66b9478df

      SHA1

      6e22e49111da5493a9f0d13a8411bb8413239224

      SHA256

      a8af19e262cd53f722c11a1b349eacacdae3e5b914ac17e6dab84c9bf298386f

      SHA512

      f0cef608cd1cda188ad677c16bed96aee966540fa19b252688317a86911f887fa612210bb21ca129dc2766298b9779c6a7a3b5aa8ddd78d4c5c992c0589a5f65

    • C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe

      Filesize

      630KB

      MD5

      1046de21cd8e9ff519ce5cb089edd5f5

      SHA1

      14e56d2cdbdfaaa7c49e3b3fed62df2d0f114d83

      SHA256

      dbda8c6ed6803fd8eeb547a60ee600c101315b478fa055d4a1d0ac438fc45527

      SHA512

      ba3c69da22314de39a20b458a6c49041b280f5eb283a5225f3b40ee9381ff7fcb037c274a9fc0988cad7432b50c2fc4520221e6fdf5aa0bcc095188d14181d56

    • memory/896-24-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/896-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/896-20-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/896-22-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/896-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/896-31-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/896-27-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/896-29-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1424-16-0x0000000070BED000-0x0000000070BF8000-memory.dmp

      Filesize

      44KB

    • memory/1424-0-0x000000002FF31000-0x000000002FF32000-memory.dmp

      Filesize

      4KB

    • memory/1424-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1424-50-0x0000000073420000-0x0000000073427000-memory.dmp

      Filesize

      28KB

    • memory/1424-2-0x0000000070BED000-0x0000000070BF8000-memory.dmp

      Filesize

      44KB

    • memory/1424-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2116-17-0x0000000005350000-0x00000000053D2000-memory.dmp

      Filesize

      520KB

    • memory/2116-15-0x0000000000510000-0x0000000000520000-memory.dmp

      Filesize

      64KB

    • memory/2116-14-0x0000000000810000-0x00000000008B2000-memory.dmp

      Filesize

      648KB