Analysis

  • max time kernel
    240s
  • max time network
    247s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 13:15

General

  • Target

    22092024_1315_21092024_NO7367027738832_789257820.rtf

  • Size

    642KB

  • MD5

    b16595c7c02434cb4e95e46eaa864262

  • SHA1

    d9ed513e1cc6a3538c12fb404ff576c32028a3bd

  • SHA256

    3e1ba9d9fae253f1cebc7ddaafbc893f10cd8fd9b644e4b18f4e4f06f3cb62b0

  • SHA512

    9b362dab6d79482201b789eb12335f3a9cc0e30663e63cd40ff169084ec4284cf957914f40b5e15f75215e19194dc84c3a24462bc39383e79dc626dcb11a1e9e

  • SSDEEP

    6144:ewAYwAYwAg+bU29khgINRyJT8cai2+QurA0nI:n9

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\22092024_1315_21092024_NO7367027738832_789257820.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2780
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe
        "C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2660
        • C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe
          "C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3036

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      dba618b78e97611abcbc284a4f8fa847

      SHA1

      d2da40bd958ba80954538218c743b72d890a78a7

      SHA256

      d96f7802bbcd1b4eaddf27f133080fb9c4397eebb842353253e98a6f1e8419c1

      SHA512

      893bff232d6b0632a0047f1f28035def926e3589a9fef6df4c5a9bf1b964376b8ba3bc8d22e6d17bd31761e95708bece2eac8bd7eafd36e5e5ec81f2ab730706

    • C:\Users\Admin\AppData\Roaming\bwoidsplug10496.exe

      Filesize

      630KB

      MD5

      1046de21cd8e9ff519ce5cb089edd5f5

      SHA1

      14e56d2cdbdfaaa7c49e3b3fed62df2d0f114d83

      SHA256

      dbda8c6ed6803fd8eeb547a60ee600c101315b478fa055d4a1d0ac438fc45527

      SHA512

      ba3c69da22314de39a20b458a6c49041b280f5eb283a5225f3b40ee9381ff7fcb037c274a9fc0988cad7432b50c2fc4520221e6fdf5aa0bcc095188d14181d56

    • memory/1568-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1568-2-0x000000007130D000-0x0000000071318000-memory.dmp

      Filesize

      44KB

    • memory/1568-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1568-20-0x000000007130D000-0x0000000071318000-memory.dmp

      Filesize

      44KB

    • memory/1568-0-0x000000002FB51000-0x000000002FB52000-memory.dmp

      Filesize

      4KB

    • memory/2184-14-0x0000000000120000-0x00000000001C2000-memory.dmp

      Filesize

      648KB

    • memory/2184-15-0x0000000000440000-0x0000000000450000-memory.dmp

      Filesize

      64KB

    • memory/2184-21-0x0000000005300000-0x0000000005382000-memory.dmp

      Filesize

      520KB

    • memory/3036-34-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3036-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/3036-28-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3036-26-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3036-24-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3036-22-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3036-31-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/3036-33-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB