Overview

overview

10

Static

static

8

PO_1003288...s.xlsm

windows7_x64

10

PO_1003288...s.xlsm

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    31-07-2020 16:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm

  • Size

    137KB

  • MD5

    2cb0d10d142dcee0d4f941ee11492746

  • SHA1

    ecaf75e4135bb8f585ce31249d3284871dc4d042

  • SHA256

    191c3798be77e205711c854c27a25152dcc6185858f95e404ad71fd34c7214ef

  • SHA512

    9299a052bf6a32c2bc1edc91a14d38b9b80dcb78596a1190db1175ab8738d2f55b6879f127129d758e0ec9ce7879717f0fab59a87fa70b10f3c4948408a1c7c1

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Users\Public\svchost32.exe
      "C:\Users\Public\svchost32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • C:\Users\Public\svchost32.exe
    MD5

    9b65bdf577ccfeacc1abb78248f96fc4

    SHA1

    0e2c6bf9dcbfdd7b32e0c8498256ba5f58da6099

    SHA256

    02261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d

    SHA512

    215ff6170a2504c35dd7d81d5a66df0d561709e3ce2001371de58e77bfe3f2cc82b59cac3f917b9bbae603e4c3a9e808245b07cf978cd9ec7569ee46fbd8d8fc

    Download Submit
  • C:\Users\Public\svchost32.exe
    MD5

    9b65bdf577ccfeacc1abb78248f96fc4

    SHA1

    0e2c6bf9dcbfdd7b32e0c8498256ba5f58da6099

    SHA256

    02261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d

    SHA512

    215ff6170a2504c35dd7d81d5a66df0d561709e3ce2001371de58e77bfe3f2cc82b59cac3f917b9bbae603e4c3a9e808245b07cf978cd9ec7569ee46fbd8d8fc

    Download Submit
  • \Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • memory/1248-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1248-9-0x0000000000000000-0x0000000000000000-disk.dmp
    Download
  • memory/1432-1-0x000000000030F000-0x0000000000315000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1920-13-0x0000000000454FAE-mapping.dmp
    Download
  • memory/1920-15-0x0000000000080000-0x00000000000DA000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1920-16-0x0000000000080000-0x00000000000DA000-memory.dmp
    Filesize

    360KB

    Download