Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-01-2021 06:55
Static task
static1
Behavioral task
behavioral1
Sample
Revised-RBG-180129940.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Revised-RBG-180129940.xlsx
Resource
win10v20201028
General
-
Target
Revised-RBG-180129940.xlsx
-
Size
402KB
-
MD5
9a21b20bf0f722b2cd46058cbfad5571
-
SHA1
f359c45f331d5b159a1ae6ef80135f937bf32856
-
SHA256
7d1bd0f1e6c73ead87681243ebfc1576158807ae4d3448d39b1ee35db265b753
-
SHA512
8f350b572b864c5a2a96ad8306266e1cc6dfb7c3d81d18894dfdddda099a9d21a97b3aabaee41769693e862158f5282bc873d2f0e9bcfdea3be62a0b4e116328
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.shreejilogistix.com - Port:
587 - Username:
[email protected] - Password:
ZHNecv9PfHk2
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/912-26-0x0000000000230000-0x000000000027D000-memory.dmp family_agenttesla behavioral1/memory/912-27-0x0000000000620000-0x000000000066C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 16 760 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1688 vbc.exe -
Abuses OpenXML format to download file from external location
-
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 760 EQNEDT32.EXE 760 EQNEDT32.EXE 760 EQNEDT32.EXE 760 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Swely = "C:\\Users\\Public\\Libraries\\ylewS.url" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1688 set thread context of 912 1688 vbc.exe svchost.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1812 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchost.exepid process 912 svchost.exe 912 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 912 svchost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 280 WINWORD.EXE 280 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 760 wrote to memory of 1688 760 EQNEDT32.EXE vbc.exe PID 760 wrote to memory of 1688 760 EQNEDT32.EXE vbc.exe PID 760 wrote to memory of 1688 760 EQNEDT32.EXE vbc.exe PID 760 wrote to memory of 1688 760 EQNEDT32.EXE vbc.exe PID 280 wrote to memory of 1544 280 WINWORD.EXE splwow64.exe PID 280 wrote to memory of 1544 280 WINWORD.EXE splwow64.exe PID 280 wrote to memory of 1544 280 WINWORD.EXE splwow64.exe PID 280 wrote to memory of 1544 280 WINWORD.EXE splwow64.exe PID 1688 wrote to memory of 912 1688 vbc.exe svchost.exe PID 1688 wrote to memory of 912 1688 vbc.exe svchost.exe PID 1688 wrote to memory of 912 1688 vbc.exe svchost.exe PID 1688 wrote to memory of 912 1688 vbc.exe svchost.exe PID 1688 wrote to memory of 912 1688 vbc.exe svchost.exe PID 1688 wrote to memory of 912 1688 vbc.exe svchost.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Revised-RBG-180129940.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1812
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1544
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:1816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:1860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs1⤵PID:936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4HTQEUG\document_v4120012[1].docMD5
446988fed3c06a2a0195479fccbed955
SHA13650070fada6121e813e3635b3734d9e80f43653
SHA2564329673b6bb9797151a7eab278f0b82466d73303149f2e9ab797a95d04a982bd
SHA512f00dd3d683087321ac0d200fa995a51b8c65109e5c1786b2a7f47b34b69b64d257ceca6b4a380ea6165f7268bc673e8d6861c992e47dda9cbf1c18c251714ab2
-
C:\Users\Public\vbc.exeMD5
b94f6fe6c0a12f51cefa10222036b2e8
SHA1b47a296f3044b5bb5a1e8f5306ad5687067289c9
SHA256c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971
SHA512d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6
-
C:\Users\Public\vbc.exeMD5
b94f6fe6c0a12f51cefa10222036b2e8
SHA1b47a296f3044b5bb5a1e8f5306ad5687067289c9
SHA256c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971
SHA512d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6
-
\Users\Public\vbc.exeMD5
b94f6fe6c0a12f51cefa10222036b2e8
SHA1b47a296f3044b5bb5a1e8f5306ad5687067289c9
SHA256c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971
SHA512d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6
-
\Users\Public\vbc.exeMD5
b94f6fe6c0a12f51cefa10222036b2e8
SHA1b47a296f3044b5bb5a1e8f5306ad5687067289c9
SHA256c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971
SHA512d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6
-
\Users\Public\vbc.exeMD5
b94f6fe6c0a12f51cefa10222036b2e8
SHA1b47a296f3044b5bb5a1e8f5306ad5687067289c9
SHA256c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971
SHA512d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6
-
\Users\Public\vbc.exeMD5
b94f6fe6c0a12f51cefa10222036b2e8
SHA1b47a296f3044b5bb5a1e8f5306ad5687067289c9
SHA256c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971
SHA512d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6
-
memory/280-6-0x000000006B531000-0x000000006B534000-memory.dmpFilesize
12KB
-
memory/524-5-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmpFilesize
2.5MB
-
memory/760-10-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/912-24-0x0000000069E70000-0x000000006A55E000-memory.dmpFilesize
6.9MB
-
memory/912-27-0x0000000000620000-0x000000000066C000-memory.dmpFilesize
304KB
-
memory/912-30-0x00000000046D3000-0x00000000046D4000-memory.dmpFilesize
4KB
-
memory/912-32-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/912-31-0x00000000046D4000-0x00000000046D6000-memory.dmpFilesize
8KB
-
memory/912-28-0x00000000046D1000-0x00000000046D2000-memory.dmpFilesize
4KB
-
memory/912-29-0x00000000046D2000-0x00000000046D3000-memory.dmpFilesize
4KB
-
memory/912-21-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/912-22-0x000000000040CD2F-mapping.dmp
-
memory/912-23-0x0000000002080000-0x0000000002091000-memory.dmpFilesize
68KB
-
memory/912-25-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/912-26-0x0000000000230000-0x000000000027D000-memory.dmpFilesize
308KB
-
memory/1544-19-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmpFilesize
8KB
-
memory/1544-18-0x0000000000000000-mapping.dmp
-
memory/1688-17-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/1688-15-0x0000000000000000-mapping.dmp
-
memory/1812-2-0x000000002F141000-0x000000002F144000-memory.dmpFilesize
12KB
-
memory/1812-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1812-3-0x0000000071241000-0x0000000071243000-memory.dmpFilesize
8KB