Analysis
-
max time kernel
135s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 16:15
Static task
static1
Behavioral task
behavioral1
Sample
PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm
Resource
win7v200722
Behavioral task
behavioral2
Sample
PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm
Resource
win10
General
-
Target
PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm
-
Size
137KB
-
MD5
2cb0d10d142dcee0d4f941ee11492746
-
SHA1
ecaf75e4135bb8f585ce31249d3284871dc4d042
-
SHA256
191c3798be77e205711c854c27a25152dcc6185858f95e404ad71fd34c7214ef
-
SHA512
9299a052bf6a32c2bc1edc91a14d38b9b80dcb78596a1190db1175ab8738d2f55b6879f127129d758e0ec9ce7879717f0fab59a87fa70b10f3c4948408a1c7c1
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Public\svchost32.exe family_agenttesla C:\Users\Public\svchost32.exe family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
svchost32.exepid process 3852 svchost32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3680 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svchost32.exepid process 3852 svchost32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost32.exedescription pid process Token: SeDebugPrivilege 3852 svchost32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 3680 wrote to memory of 3852 3680 EXCEL.EXE svchost32.exe PID 3680 wrote to memory of 3852 3680 EXCEL.EXE svchost32.exe PID 3680 wrote to memory of 3852 3680 EXCEL.EXE svchost32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\svchost32.exe"C:\Users\Public\svchost32.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\svchost32.exeMD5
9b65bdf577ccfeacc1abb78248f96fc4
SHA10e2c6bf9dcbfdd7b32e0c8498256ba5f58da6099
SHA25602261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d
SHA512215ff6170a2504c35dd7d81d5a66df0d561709e3ce2001371de58e77bfe3f2cc82b59cac3f917b9bbae603e4c3a9e808245b07cf978cd9ec7569ee46fbd8d8fc
-
C:\Users\Public\svchost32.exeMD5
9b65bdf577ccfeacc1abb78248f96fc4
SHA10e2c6bf9dcbfdd7b32e0c8498256ba5f58da6099
SHA25602261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d
SHA512215ff6170a2504c35dd7d81d5a66df0d561709e3ce2001371de58e77bfe3f2cc82b59cac3f917b9bbae603e4c3a9e808245b07cf978cd9ec7569ee46fbd8d8fc
-
memory/3852-6-0x0000000000000000-mapping.dmp