Analysis
-
max time kernel
90s -
max time network
128s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 11:15
Static task
static1
Behavioral task
behavioral1
Sample
USD_Payment Details.xls
Resource
win7
Behavioral task
behavioral2
Sample
USD_Payment Details.xls
Resource
win10v200430
General
-
Target
USD_Payment Details.xls
-
Size
95KB
-
MD5
fd1be82d683bde7bdf1ae61d2eda6827
-
SHA1
de3b56b9f7c978cfa7a6e4a2533b9fc7bf0ec909
-
SHA256
6dd03646685c5f0f835db9af5c3e80e3b425fdea1595f81f62bee4550b2a7635
-
SHA512
0cc7ad398cb9255bdfa90ad37f2d78a905826ba6b93ad172797ed366976f065d449bc02e10c662740943b8b4ddee365bc6382be6d6a2cabadc0789709ce5c3e7
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.skibokshotell.no/ - Port:
21 - Username:
[email protected] - Password:
u{psFslG@7Ly
Protocol: ftp- Host:
ftp://ftp.skibokshotell.no/ - Port:
21 - Username:
[email protected] - Password:
u{psFslG@7Ly
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1612-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1612-7-0x00000000004470CE-mapping.dmp family_agenttesla behavioral1/memory/1612-9-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1612-10-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
OMSBITNRE.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts OMSBITNRE.exe -
Executes dropped EXE 2 IoCs
Processes:
OMSBITNRE.exeOMSBITNRE.exepid process 1780 OMSBITNRE.exe 1612 OMSBITNRE.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
OMSBITNRE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OMSBITNRE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OMSBITNRE.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
OMSBITNRE.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OMSBITNRE.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 OMSBITNRE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
OMSBITNRE.exedescription pid process target process PID 1780 set thread context of 1612 1780 OMSBITNRE.exe OMSBITNRE.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 672 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
OMSBITNRE.exepid process 1612 OMSBITNRE.exe 1612 OMSBITNRE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
OMSBITNRE.exedescription pid process Token: SeDebugPrivilege 1612 OMSBITNRE.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
EXCEL.EXEOMSBITNRE.exepid process 672 EXCEL.EXE 672 EXCEL.EXE 672 EXCEL.EXE 1612 OMSBITNRE.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
EXCEL.EXEOMSBITNRE.exedescription pid process target process PID 672 wrote to memory of 1780 672 EXCEL.EXE OMSBITNRE.exe PID 672 wrote to memory of 1780 672 EXCEL.EXE OMSBITNRE.exe PID 672 wrote to memory of 1780 672 EXCEL.EXE OMSBITNRE.exe PID 672 wrote to memory of 1780 672 EXCEL.EXE OMSBITNRE.exe PID 1780 wrote to memory of 1612 1780 OMSBITNRE.exe OMSBITNRE.exe PID 1780 wrote to memory of 1612 1780 OMSBITNRE.exe OMSBITNRE.exe PID 1780 wrote to memory of 1612 1780 OMSBITNRE.exe OMSBITNRE.exe PID 1780 wrote to memory of 1612 1780 OMSBITNRE.exe OMSBITNRE.exe PID 1780 wrote to memory of 1612 1780 OMSBITNRE.exe OMSBITNRE.exe PID 1780 wrote to memory of 1612 1780 OMSBITNRE.exe OMSBITNRE.exe PID 1780 wrote to memory of 1612 1780 OMSBITNRE.exe OMSBITNRE.exe PID 1780 wrote to memory of 1612 1780 OMSBITNRE.exe OMSBITNRE.exe PID 1780 wrote to memory of 1612 1780 OMSBITNRE.exe OMSBITNRE.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\USD_Payment Details.xls"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\OMSBITNRE.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\OMSBITNRE.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\OMSBITNRE.exe"{path}"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\OMSBITNRE.exeMD5
e3516cf406d891902c553d6a43efdc65
SHA1435d7a53989670d50578c9aff2b334187222088e
SHA256702e54b967e1c8aedcdfea2306b429b15e284b9b88439c9636182a36322e179b
SHA5121454b39a6a9ccea31c5a682baec84d42668a9787e66d4eda2df0a74b5d47a928b814bda29a51fe3374c3f315d07fcaa50df0d926e8c5ee6bd8f521ba2d068d92
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\OMSBITNRE.exeMD5
e3516cf406d891902c553d6a43efdc65
SHA1435d7a53989670d50578c9aff2b334187222088e
SHA256702e54b967e1c8aedcdfea2306b429b15e284b9b88439c9636182a36322e179b
SHA5121454b39a6a9ccea31c5a682baec84d42668a9787e66d4eda2df0a74b5d47a928b814bda29a51fe3374c3f315d07fcaa50df0d926e8c5ee6bd8f521ba2d068d92
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\OMSBITNRE.exeMD5
e3516cf406d891902c553d6a43efdc65
SHA1435d7a53989670d50578c9aff2b334187222088e
SHA256702e54b967e1c8aedcdfea2306b429b15e284b9b88439c9636182a36322e179b
SHA5121454b39a6a9ccea31c5a682baec84d42668a9787e66d4eda2df0a74b5d47a928b814bda29a51fe3374c3f315d07fcaa50df0d926e8c5ee6bd8f521ba2d068d92
-
memory/1612-6-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1612-7-0x00000000004470CE-mapping.dmp
-
memory/1612-9-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1612-10-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1780-1-0x0000000000000000-mapping.dmp
-
memory/1780-5-0x0000000000000000-0x0000000000000000-disk.dmp