Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 08:56
Static task
static1
Behavioral task
behavioral1
Sample
$267700.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
$267700.xlsx
Resource
win10v20201028
General
-
Target
$267700.xlsx
-
Size
200KB
-
MD5
df0dbb4b27bda8afcdc08455003739e7
-
SHA1
86057b50f54296163776720171c21c2a946778e6
-
SHA256
86e3101420d0467712a6920229e34bce70e978598abb37373c53306f937f8db7
-
SHA512
4836c2aaf5dc450fb1a859770c735c1cfd2887dbeb779cc15c56e9a840f63e3a7d43d352dad3583eae4db2bcb7d31ea807f7f68258c258b423e9992c652cc3e2
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
lord@blessme
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1244-24-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1244-25-0x000000000043765E-mapping.dmp family_agenttesla behavioral1/memory/1244-28-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 25 1812 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 1144 vbc.exe 2020 vbc.exe 1244 vbc.exe -
Abuses OpenXML format to download file from external location
-
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1812 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1144 set thread context of 1244 1144 vbc.exe vbc.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1852 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
vbc.exevbc.exepid process 1144 vbc.exe 1144 vbc.exe 1244 vbc.exe 1244 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exevbc.exedescription pid process Token: SeDebugPrivilege 1144 vbc.exe Token: SeDebugPrivilege 1244 vbc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 1852 EXCEL.EXE 1852 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1852 EXCEL.EXE 1852 EXCEL.EXE 1852 EXCEL.EXE 744 WINWORD.EXE 744 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1812 wrote to memory of 1144 1812 EQNEDT32.EXE vbc.exe PID 1812 wrote to memory of 1144 1812 EQNEDT32.EXE vbc.exe PID 1812 wrote to memory of 1144 1812 EQNEDT32.EXE vbc.exe PID 1812 wrote to memory of 1144 1812 EQNEDT32.EXE vbc.exe PID 744 wrote to memory of 1056 744 WINWORD.EXE splwow64.exe PID 744 wrote to memory of 1056 744 WINWORD.EXE splwow64.exe PID 744 wrote to memory of 1056 744 WINWORD.EXE splwow64.exe PID 744 wrote to memory of 1056 744 WINWORD.EXE splwow64.exe PID 1144 wrote to memory of 2020 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 2020 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 2020 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 2020 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 1244 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 1244 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 1244 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 1244 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 1244 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 1244 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 1244 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 1244 1144 vbc.exe vbc.exe PID 1144 wrote to memory of 1244 1144 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\$267700.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\invoice_4152112[1].docMD5
2c15d6b5dacee38f2b9d5bb1236f0bc3
SHA19a217860103db9c5b8e0eb4d9c5e0d5667b8f390
SHA25631e0ea87983451b4c759b630005e2cdfe620c49eebef6bd0d8552268abd322c7
SHA5126babf0dea8f79d390f85723c2708b526bad9d0e3bda2ae22d274608428fdd9c769a85e26d575e77eba99b95e42a73295bc1d87a5ca88083e601fbafb37d46b24
-
C:\Users\Public\vbc.exeMD5
d24b31e1b896eefd1fc34d257f9ed279
SHA1f61065cc95db18ce38ea31b71cf01d7bdf205dfa
SHA25681c3590c04a0c3b1457057e2307778b409812d2e18f01fca9bf6a3b6b9b83ded
SHA512305fb067a7a9498e9eb8cfac9ce9b73ecd53914abf7796484faa2d2d20ed20f9d5a609d9c4e0b0fb1f7e778d9f77de6150a492c88df19b7d8c3a8c52b6368b9f
-
C:\Users\Public\vbc.exeMD5
d24b31e1b896eefd1fc34d257f9ed279
SHA1f61065cc95db18ce38ea31b71cf01d7bdf205dfa
SHA25681c3590c04a0c3b1457057e2307778b409812d2e18f01fca9bf6a3b6b9b83ded
SHA512305fb067a7a9498e9eb8cfac9ce9b73ecd53914abf7796484faa2d2d20ed20f9d5a609d9c4e0b0fb1f7e778d9f77de6150a492c88df19b7d8c3a8c52b6368b9f
-
C:\Users\Public\vbc.exeMD5
d24b31e1b896eefd1fc34d257f9ed279
SHA1f61065cc95db18ce38ea31b71cf01d7bdf205dfa
SHA25681c3590c04a0c3b1457057e2307778b409812d2e18f01fca9bf6a3b6b9b83ded
SHA512305fb067a7a9498e9eb8cfac9ce9b73ecd53914abf7796484faa2d2d20ed20f9d5a609d9c4e0b0fb1f7e778d9f77de6150a492c88df19b7d8c3a8c52b6368b9f
-
C:\Users\Public\vbc.exeMD5
d24b31e1b896eefd1fc34d257f9ed279
SHA1f61065cc95db18ce38ea31b71cf01d7bdf205dfa
SHA25681c3590c04a0c3b1457057e2307778b409812d2e18f01fca9bf6a3b6b9b83ded
SHA512305fb067a7a9498e9eb8cfac9ce9b73ecd53914abf7796484faa2d2d20ed20f9d5a609d9c4e0b0fb1f7e778d9f77de6150a492c88df19b7d8c3a8c52b6368b9f
-
\Users\Public\vbc.exeMD5
d24b31e1b896eefd1fc34d257f9ed279
SHA1f61065cc95db18ce38ea31b71cf01d7bdf205dfa
SHA25681c3590c04a0c3b1457057e2307778b409812d2e18f01fca9bf6a3b6b9b83ded
SHA512305fb067a7a9498e9eb8cfac9ce9b73ecd53914abf7796484faa2d2d20ed20f9d5a609d9c4e0b0fb1f7e778d9f77de6150a492c88df19b7d8c3a8c52b6368b9f
-
memory/744-6-0x000000006B6D1000-0x000000006B6D4000-memory.dmpFilesize
12KB
-
memory/1056-17-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmpFilesize
8KB
-
memory/1056-16-0x0000000000000000-mapping.dmp
-
memory/1144-20-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/1144-12-0x0000000000000000-mapping.dmp
-
memory/1144-22-0x0000000004F40000-0x0000000004F9C000-memory.dmpFilesize
368KB
-
memory/1144-21-0x0000000000740000-0x0000000000743000-memory.dmpFilesize
12KB
-
memory/1144-15-0x000000006AA50000-0x000000006B13E000-memory.dmpFilesize
6.9MB
-
memory/1144-18-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/1244-25-0x000000000043765E-mapping.dmp
-
memory/1244-24-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1244-27-0x000000006AA50000-0x000000006B13E000-memory.dmpFilesize
6.9MB
-
memory/1244-28-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1244-30-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/1376-5-0x000007FEF77D0000-0x000007FEF7A4A000-memory.dmpFilesize
2.5MB
-
memory/1812-10-0x00000000756C1000-0x00000000756C3000-memory.dmpFilesize
8KB
-
memory/1852-2-0x000000002FD71000-0x000000002FD74000-memory.dmpFilesize
12KB
-
memory/1852-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1852-3-0x0000000071681000-0x0000000071683000-memory.dmpFilesize
8KB