Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 16:15
Static task
static1
Behavioral task
behavioral1
Sample
PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm
Resource
win7v200722
Behavioral task
behavioral2
Sample
PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm
Resource
win10
General
-
Target
PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm
-
Size
137KB
-
MD5
2cb0d10d142dcee0d4f941ee11492746
-
SHA1
ecaf75e4135bb8f585ce31249d3284871dc4d042
-
SHA256
191c3798be77e205711c854c27a25152dcc6185858f95e404ad71fd34c7214ef
-
SHA512
9299a052bf6a32c2bc1edc91a14d38b9b80dcb78596a1190db1175ab8738d2f55b6879f127129d758e0ec9ce7879717f0fab59a87fa70b10f3c4948408a1c7c1
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 5 IoCs
Processes:
resource yara_rule C:\Users\Public\svchost32.exe family_agenttesla C:\Users\Public\svchost32.exe family_agenttesla behavioral1/memory/1920-13-0x0000000000454FAE-mapping.dmp family_agenttesla behavioral1/memory/1920-15-0x0000000000080000-0x00000000000DA000-memory.dmp family_agenttesla behavioral1/memory/1920-16-0x0000000000080000-0x00000000000DA000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
svchost32.exeAddInProcess32.exepid process 1248 svchost32.exe 1920 AddInProcess32.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost32.exepid process 1248 svchost32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyKanyAasean = "C:\\Users\\Admin\\AppData\\Roaming\\MyKanyAasean\\MyKanyAasean.exe" AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost32.exedescription pid process target process PID 1248 set thread context of 1920 1248 svchost32.exe AddInProcess32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1432 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
svchost32.exeAddInProcess32.exepid process 1248 svchost32.exe 1248 svchost32.exe 1248 svchost32.exe 1920 AddInProcess32.exe 1920 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost32.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1248 svchost32.exe Token: SeDebugPrivilege 1920 AddInProcess32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
EXCEL.EXEAddInProcess32.exepid process 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE 1920 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
EXCEL.EXEsvchost32.exedescription pid process target process PID 1432 wrote to memory of 1248 1432 EXCEL.EXE svchost32.exe PID 1432 wrote to memory of 1248 1432 EXCEL.EXE svchost32.exe PID 1432 wrote to memory of 1248 1432 EXCEL.EXE svchost32.exe PID 1432 wrote to memory of 1248 1432 EXCEL.EXE svchost32.exe PID 1248 wrote to memory of 1920 1248 svchost32.exe AddInProcess32.exe PID 1248 wrote to memory of 1920 1248 svchost32.exe AddInProcess32.exe PID 1248 wrote to memory of 1920 1248 svchost32.exe AddInProcess32.exe PID 1248 wrote to memory of 1920 1248 svchost32.exe AddInProcess32.exe PID 1248 wrote to memory of 1920 1248 svchost32.exe AddInProcess32.exe PID 1248 wrote to memory of 1920 1248 svchost32.exe AddInProcess32.exe PID 1248 wrote to memory of 1920 1248 svchost32.exe AddInProcess32.exe PID 1248 wrote to memory of 1920 1248 svchost32.exe AddInProcess32.exe PID 1248 wrote to memory of 1920 1248 svchost32.exe AddInProcess32.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\svchost32.exe"C:\Users\Public\svchost32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Public\svchost32.exeMD5
9b65bdf577ccfeacc1abb78248f96fc4
SHA10e2c6bf9dcbfdd7b32e0c8498256ba5f58da6099
SHA25602261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d
SHA512215ff6170a2504c35dd7d81d5a66df0d561709e3ce2001371de58e77bfe3f2cc82b59cac3f917b9bbae603e4c3a9e808245b07cf978cd9ec7569ee46fbd8d8fc
-
C:\Users\Public\svchost32.exeMD5
9b65bdf577ccfeacc1abb78248f96fc4
SHA10e2c6bf9dcbfdd7b32e0c8498256ba5f58da6099
SHA25602261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d
SHA512215ff6170a2504c35dd7d81d5a66df0d561709e3ce2001371de58e77bfe3f2cc82b59cac3f917b9bbae603e4c3a9e808245b07cf978cd9ec7569ee46fbd8d8fc
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
memory/1248-5-0x0000000000000000-mapping.dmp
-
memory/1248-9-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1432-1-0x000000000030F000-0x0000000000315000-memory.dmpFilesize
24KB
-
memory/1920-13-0x0000000000454FAE-mapping.dmp
-
memory/1920-15-0x0000000000080000-0x00000000000DA000-memory.dmpFilesize
360KB
-
memory/1920-16-0x0000000000080000-0x00000000000DA000-memory.dmpFilesize
360KB