Analysis
-
max time kernel
154s -
max time network
27s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-04-2021 18:04
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment Advice.xlsx
Resource
win10v20210408
General
-
Target
Payment Advice.xlsx
-
Size
3.7MB
-
MD5
5e1e64b617b1c40cf151b5d06e1beec5
-
SHA1
24d6ac44e463d05cb2f224123f0bfae3e7780181
-
SHA256
227f928eab84ca0736d1059cec135eb48996136d98c251ace0cd29d8c139471b
-
SHA512
aaad618656ab34b001772341a0f45036323a5422193e6262028013feaa7c1d0714d46c77fdf27667f76e742a9d6e18a30b20a67eeeb3095cfc0d7aabbb8b0eb2
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1712271713:AAGJzuYypM3OwZho3Ow-PgwvbQRhZlQBGFk/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1376-77-0x0000000004F60000-0x0000000004F96000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 992 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
zerohostz15agz.exepid process 1376 zerohostz15agz.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 992 EQNEDT32.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1608 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
zerohostz15agz.exepid process 1376 zerohostz15agz.exe 1376 zerohostz15agz.exe 1376 zerohostz15agz.exe 1376 zerohostz15agz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zerohostz15agz.exedescription pid process Token: SeDebugPrivilege 1376 zerohostz15agz.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1608 EXCEL.EXE 1608 EXCEL.EXE 1608 EXCEL.EXE 1608 EXCEL.EXE 1608 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EQNEDT32.EXEzerohostz15agz.exedescription pid process target process PID 992 wrote to memory of 1376 992 EQNEDT32.EXE zerohostz15agz.exe PID 992 wrote to memory of 1376 992 EQNEDT32.EXE zerohostz15agz.exe PID 992 wrote to memory of 1376 992 EQNEDT32.EXE zerohostz15agz.exe PID 992 wrote to memory of 1376 992 EQNEDT32.EXE zerohostz15agz.exe PID 1376 wrote to memory of 960 1376 zerohostz15agz.exe schtasks.exe PID 1376 wrote to memory of 960 1376 zerohostz15agz.exe schtasks.exe PID 1376 wrote to memory of 960 1376 zerohostz15agz.exe schtasks.exe PID 1376 wrote to memory of 960 1376 zerohostz15agz.exe schtasks.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zerohostz15agz.exe"C:\Users\Admin\AppData\Local\Temp\zerohostz15agz.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WnRCLcGk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC284.tmpMD5
1a31333ee46c6ff55b6c176907fd43f1
SHA1c89062b1ec444d0dec2221e1ccc2bc459791deec
SHA256b6724aa4826953f439e76b8219be9ec70b30df359deba514519725893398f77f
SHA512b297bc4cb64a64b8fc5f1040c37b8ceb75d406fa331ef06fc0f2482dabb26cb8c0a8c686211c31188c7b6a4662493bf16e23a4e6abc8f27338a35d64bebe9ee5
-
C:\Users\Admin\AppData\Local\Temp\zerohostz15agz.exeMD5
02cfffb4f0237ed12a4b89e241c6276e
SHA122a6830516f61b0f50b82bf860deb66bf403a2d1
SHA256a9e89aa79f71caff5fc6b20d16623c7f3d089235def31b5d4599af5cfd211fb4
SHA5129f7e5a00dd3e57fc68eae426aacb99f031428554aabd764de6a0abef5e22588ae9ea3ab0afce0f9b849590009aec2e89a2a9ac27d3aab47b8aa7418297e91002
-
C:\Users\Admin\AppData\Local\Temp\zerohostz15agz.exeMD5
02cfffb4f0237ed12a4b89e241c6276e
SHA122a6830516f61b0f50b82bf860deb66bf403a2d1
SHA256a9e89aa79f71caff5fc6b20d16623c7f3d089235def31b5d4599af5cfd211fb4
SHA5129f7e5a00dd3e57fc68eae426aacb99f031428554aabd764de6a0abef5e22588ae9ea3ab0afce0f9b849590009aec2e89a2a9ac27d3aab47b8aa7418297e91002
-
\Users\Admin\AppData\Local\Temp\zerohostz15agz.exeMD5
02cfffb4f0237ed12a4b89e241c6276e
SHA122a6830516f61b0f50b82bf860deb66bf403a2d1
SHA256a9e89aa79f71caff5fc6b20d16623c7f3d089235def31b5d4599af5cfd211fb4
SHA5129f7e5a00dd3e57fc68eae426aacb99f031428554aabd764de6a0abef5e22588ae9ea3ab0afce0f9b849590009aec2e89a2a9ac27d3aab47b8aa7418297e91002
-
memory/960-75-0x0000000000000000-mapping.dmp
-
memory/992-63-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1376-68-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/1376-65-0x0000000000000000-mapping.dmp
-
memory/1376-70-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/1376-71-0x0000000000510000-0x0000000000519000-memory.dmpFilesize
36KB
-
memory/1376-72-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1376-73-0x0000000005160000-0x00000000051D4000-memory.dmpFilesize
464KB
-
memory/1376-74-0x0000000004340000-0x000000000437C000-memory.dmpFilesize
240KB
-
memory/1376-77-0x0000000004F60000-0x0000000004F96000-memory.dmpFilesize
216KB
-
memory/1608-60-0x000000002F601000-0x000000002F604000-memory.dmpFilesize
12KB
-
memory/1608-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1608-61-0x0000000070E31000-0x0000000070E33000-memory.dmpFilesize
8KB