Analysis
-
max time kernel
142s -
max time network
20s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
19-04-2021 11:57
Static task
static1
Behavioral task
behavioral1
Sample
specification.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
specification.xlsx
Resource
win10v20210410
General
-
Target
specification.xlsx
-
Size
379KB
-
MD5
94c2bb7133cc4bebeb9fbe43fc739d87
-
SHA1
daa3c4e5fc17f81fc4e1f6a54fa822bb59b2e36d
-
SHA256
3ec6f6e82d0a4ae08c365a701ab02d793e59db3a54f012c0639b693d7d5cf573
-
SHA512
fc24e772f07aaefed535837f0dd59a9e689766fa5325929e03e88371ac2b981b98ceeaf8b4eb239f1509691f8605e4e46e99fbd2fd43ad04284da4d41b731e41
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.scrablex.com - Port:
587 - Username:
[email protected] - Password:
Chisom123.
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-76-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2040-77-0x00000000004375DE-mapping.dmp family_agenttesla behavioral1/memory/2040-79-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1944 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 328 vbc.exe 1932 vbc.exe 2040 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1944 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\aKZoqyj = "C:\\Users\\Admin\\AppData\\Roaming\\aKZoqyj\\aKZoqyj.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 328 set thread context of 2040 328 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1776 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exevbc.exepid process 328 vbc.exe 328 vbc.exe 328 vbc.exe 2040 vbc.exe 2040 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exevbc.exedescription pid process Token: SeDebugPrivilege 328 vbc.exe Token: SeDebugPrivilege 2040 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1776 EXCEL.EXE 1776 EXCEL.EXE 1776 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1944 wrote to memory of 328 1944 EQNEDT32.EXE vbc.exe PID 1944 wrote to memory of 328 1944 EQNEDT32.EXE vbc.exe PID 1944 wrote to memory of 328 1944 EQNEDT32.EXE vbc.exe PID 1944 wrote to memory of 328 1944 EQNEDT32.EXE vbc.exe PID 328 wrote to memory of 1932 328 vbc.exe vbc.exe PID 328 wrote to memory of 1932 328 vbc.exe vbc.exe PID 328 wrote to memory of 1932 328 vbc.exe vbc.exe PID 328 wrote to memory of 1932 328 vbc.exe vbc.exe PID 328 wrote to memory of 2040 328 vbc.exe vbc.exe PID 328 wrote to memory of 2040 328 vbc.exe vbc.exe PID 328 wrote to memory of 2040 328 vbc.exe vbc.exe PID 328 wrote to memory of 2040 328 vbc.exe vbc.exe PID 328 wrote to memory of 2040 328 vbc.exe vbc.exe PID 328 wrote to memory of 2040 328 vbc.exe vbc.exe PID 328 wrote to memory of 2040 328 vbc.exe vbc.exe PID 328 wrote to memory of 2040 328 vbc.exe vbc.exe PID 328 wrote to memory of 2040 328 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\specification.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1776
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
PID:1932 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
f17d8c94783597296264ab489cfc64b8
SHA1b967e59eabac83697e27576e54420623d5ebedfb
SHA2563b3f6d41ee6c1f630f6aa74edbe5d524fe2333a91e5234509c647432f663819f
SHA512b2ae3996f8a80b4e2689616b4b4443bfd9aff6633515713e451931650054b588e129389278f0e8eeb8820d5980f5f165f4cdc921a8d196a3a16f212628a3de38
-
C:\Users\Public\vbc.exeMD5
f17d8c94783597296264ab489cfc64b8
SHA1b967e59eabac83697e27576e54420623d5ebedfb
SHA2563b3f6d41ee6c1f630f6aa74edbe5d524fe2333a91e5234509c647432f663819f
SHA512b2ae3996f8a80b4e2689616b4b4443bfd9aff6633515713e451931650054b588e129389278f0e8eeb8820d5980f5f165f4cdc921a8d196a3a16f212628a3de38
-
C:\Users\Public\vbc.exeMD5
f17d8c94783597296264ab489cfc64b8
SHA1b967e59eabac83697e27576e54420623d5ebedfb
SHA2563b3f6d41ee6c1f630f6aa74edbe5d524fe2333a91e5234509c647432f663819f
SHA512b2ae3996f8a80b4e2689616b4b4443bfd9aff6633515713e451931650054b588e129389278f0e8eeb8820d5980f5f165f4cdc921a8d196a3a16f212628a3de38
-
C:\Users\Public\vbc.exeMD5
f17d8c94783597296264ab489cfc64b8
SHA1b967e59eabac83697e27576e54420623d5ebedfb
SHA2563b3f6d41ee6c1f630f6aa74edbe5d524fe2333a91e5234509c647432f663819f
SHA512b2ae3996f8a80b4e2689616b4b4443bfd9aff6633515713e451931650054b588e129389278f0e8eeb8820d5980f5f165f4cdc921a8d196a3a16f212628a3de38
-
\Users\Public\vbc.exeMD5
f17d8c94783597296264ab489cfc64b8
SHA1b967e59eabac83697e27576e54420623d5ebedfb
SHA2563b3f6d41ee6c1f630f6aa74edbe5d524fe2333a91e5234509c647432f663819f
SHA512b2ae3996f8a80b4e2689616b4b4443bfd9aff6633515713e451931650054b588e129389278f0e8eeb8820d5980f5f165f4cdc921a8d196a3a16f212628a3de38
-
memory/328-71-0x00000000008D0000-0x00000000008D9000-memory.dmpFilesize
36KB
-
memory/328-73-0x0000000001260000-0x00000000012D9000-memory.dmpFilesize
484KB
-
memory/328-74-0x0000000001330000-0x0000000001379000-memory.dmpFilesize
292KB
-
memory/328-68-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/328-70-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/328-65-0x0000000000000000-mapping.dmp
-
memory/1776-72-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1776-60-0x000000002F3A1000-0x000000002F3A4000-memory.dmpFilesize
12KB
-
memory/1776-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1776-61-0x0000000071191000-0x0000000071193000-memory.dmpFilesize
8KB
-
memory/1944-63-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/2040-76-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2040-77-0x00000000004375DE-mapping.dmp
-
memory/2040-79-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2040-81-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB