Analysis
-
max time kernel
148s -
max time network
99s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
10-05-2021 06:54
Static task
static1
Behavioral task
behavioral1
Sample
SOA May.xlt
Resource
win7v20210410
Behavioral task
behavioral2
Sample
SOA May.xlt
Resource
win10v20210408
General
-
Target
SOA May.xlt
-
Size
708KB
-
MD5
eab9dd0c6c9970b12851dc56c8e77ebb
-
SHA1
0ce87f1116fe287bc9415a051af23c81d27449c1
-
SHA256
1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6
-
SHA512
fc619429f3ff49df839345f754ada67b35960c015b0be84289ae9aad8174142f4b6bce067bcb7babefd6aac65399806c528417329eb3dc1c87f0073e08bdb4cb
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.tractorandinas.com/ - Port:
21 - Username:
[email protected] - Password:
~P*xO7vPBc-o
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1704-84-0x0000000001F30000-0x0000000001F7D000-memory.dmp family_agenttesla behavioral1/memory/1704-85-0x0000000004710000-0x000000000475C000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
ctci.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ctci.exe -
Executes dropped EXE 4 IoCs
Processes:
ctci.exectci.exeNetplwiz.exeNetplwiz.exepid process 776 ctci.exe 1704 ctci.exe 804 Netplwiz.exe 1352 Netplwiz.exe -
Loads dropped DLL 2 IoCs
Processes:
EXCEL.EXEpid process 1084 EXCEL.EXE 1084 EXCEL.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ctci.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vaijia = "C:\\Users\\Public\\aijiaV.url" ctci.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ctci.exedescription pid process target process PID 776 set thread context of 1704 776 ctci.exe ctci.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1084 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ctci.exepid process 1704 ctci.exe 1704 ctci.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ctci.exedescription pid process Token: SeDebugPrivilege 1704 ctci.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1084 EXCEL.EXE 1084 EXCEL.EXE 1084 EXCEL.EXE 1084 EXCEL.EXE 1084 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EXCEL.EXEctci.execmd.exedescription pid process target process PID 1084 wrote to memory of 776 1084 EXCEL.EXE ctci.exe PID 1084 wrote to memory of 776 1084 EXCEL.EXE ctci.exe PID 1084 wrote to memory of 776 1084 EXCEL.EXE ctci.exe PID 1084 wrote to memory of 776 1084 EXCEL.EXE ctci.exe PID 776 wrote to memory of 1704 776 ctci.exe ctci.exe PID 776 wrote to memory of 1704 776 ctci.exe ctci.exe PID 776 wrote to memory of 1704 776 ctci.exe ctci.exe PID 776 wrote to memory of 1704 776 ctci.exe ctci.exe PID 776 wrote to memory of 1704 776 ctci.exe ctci.exe PID 776 wrote to memory of 1704 776 ctci.exe ctci.exe PID 776 wrote to memory of 536 776 ctci.exe cmd.exe PID 776 wrote to memory of 536 776 ctci.exe cmd.exe PID 776 wrote to memory of 536 776 ctci.exe cmd.exe PID 776 wrote to memory of 536 776 ctci.exe cmd.exe PID 536 wrote to memory of 760 536 cmd.exe cmd.exe PID 536 wrote to memory of 760 536 cmd.exe cmd.exe PID 536 wrote to memory of 760 536 cmd.exe cmd.exe PID 536 wrote to memory of 760 536 cmd.exe cmd.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SOA May.xlt"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ctci.exe"C:\Users\Admin\ctci.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ctci.exeC:\Users\Admin\ctci.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\stt.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat4⤵
-
C:\Windows \System32\Netplwiz.exe"C:\Windows \System32\Netplwiz.exe"5⤵
- Executes dropped EXE
-
C:\Windows \System32\Netplwiz.exe"C:\Windows \System32\Netplwiz.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442MD5
ee39890cf2ac1134e91f967a286238a8
SHA1ed7eeed55721ed8a998849058a98e45fe9eb7ff4
SHA256a7a2f46c789843d626fa725e98056ba8842ceaac2e5713348f9a95079ae9e74a
SHA5123fd90ecb260e44133521a194ec4b2bdbc1fd15360e9e2155902a8180bfac9816d24facebbf70b25ca616297d1065b880b358cc8bc63f6015c9f208e9235b5800
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442MD5
d63d3f66dc2f09a012ead70ecd273cea
SHA16683e3c2e5ed9230782af445f2600a35bc7974a9
SHA25678951e0ee92e02dc91370c33862018fa66474140d80009ec9da6740faa719740
SHA5122978c3dfd4f815edc8ed51bec4d24ae4706391180fccb2d95f5d7b19e2c6e750a45f6da125041ebcfcd9eb7b6745620296421067b53e02c517ffe52ca927c2db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
5b2dc75ac257f93ea2692effa0220d8f
SHA1d8668195b0d79c65b9c576562a9d6625c5c18eb3
SHA256f573ecb9c9b50c088fe3117a4e2d41d97c6e1d81f0ae6a3afe8984e6f391438a
SHA512f33745ee86b77f20626f4670ccb581145efd3d0bdd2ac1e06ad1dc57a2c162f16b98f80d9b7acb3173c8b2e956a6ecfddd0386686ab29b7454cbb48d842827be
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G1DIJXM8.txtMD5
fa92502acabc8ed7a392aa907693a17f
SHA1007fd70083ade8fcf2e68d9e1213968f146d0c95
SHA25654cd03a56f60d47dfab9af3dd8ffcea189eb9ae7c01f708c61e6db190fc351f0
SHA51285acc4d6c3a4471c3845a43c8bb414813cb37029eb86c19dfcfee5cd3ac5f8178e54f6e53c9f8f591916d6a74bd050f76b8d644c80291adac6e69fcbb6bb9a01
-
C:\Users\Admin\ctci.exeMD5
3ba367bb53bc5ad7c0e8d7f5a9d33532
SHA1974c0e32a4480927f27daec1f65ce9bf23ff0e0a
SHA25633ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f
SHA512c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e
-
C:\Users\Admin\ctci.exeMD5
3ba367bb53bc5ad7c0e8d7f5a9d33532
SHA1974c0e32a4480927f27daec1f65ce9bf23ff0e0a
SHA25633ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f
SHA512c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e
-
C:\Users\Admin\ctci.exeMD5
3ba367bb53bc5ad7c0e8d7f5a9d33532
SHA1974c0e32a4480927f27daec1f65ce9bf23ff0e0a
SHA25633ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f
SHA512c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e
-
C:\Users\Public\NETUTILS.dllMD5
39507d772c63ca496a25a14a8b5d14b2
SHA15b603f5c11eb9ab4313694315b4d4894ff4641d4
SHA25636d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12
SHA5120c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f
-
C:\Users\Public\Netplwiz.exeMD5
f94b7fb6dac49844d03c7087b2d8b472
SHA10e84139fced0ee8ef929d0bd5f01559a7dcf1db0
SHA25646e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4
SHA512d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80
-
C:\Users\Public\PXOR.batMD5
0d8aef656413642f55e0902cc5df5e6f
SHA173ec56d08bd9b3c45d55c97bd1c1286b77c8ff49
SHA256670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11
SHA512efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876
-
C:\Users\Public\stt.batMD5
8a850253c31df9a7e1c00c80df2630d5
SHA1e3da74081b027a3b591488b28da22742bcfe8495
SHA2568fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35
SHA51230510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1
-
C:\Windows \System32\Netplwiz.exeMD5
f94b7fb6dac49844d03c7087b2d8b472
SHA10e84139fced0ee8ef929d0bd5f01559a7dcf1db0
SHA25646e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4
SHA512d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80
-
C:\Windows \System32\Netplwiz.exeMD5
f94b7fb6dac49844d03c7087b2d8b472
SHA10e84139fced0ee8ef929d0bd5f01559a7dcf1db0
SHA25646e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4
SHA512d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80
-
\Users\Admin\ctci.exeMD5
3ba367bb53bc5ad7c0e8d7f5a9d33532
SHA1974c0e32a4480927f27daec1f65ce9bf23ff0e0a
SHA25633ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f
SHA512c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e
-
\Users\Admin\ctci.exeMD5
3ba367bb53bc5ad7c0e8d7f5a9d33532
SHA1974c0e32a4480927f27daec1f65ce9bf23ff0e0a
SHA25633ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f
SHA512c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e
-
memory/536-75-0x0000000000000000-mapping.dmp
-
memory/760-82-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/760-77-0x0000000000000000-mapping.dmp
-
memory/760-88-0x00000000020F0000-0x00000000020F1000-memory.dmpFilesize
4KB
-
memory/776-66-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/776-64-0x0000000000000000-mapping.dmp
-
memory/1084-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1084-60-0x00000000715A1000-0x00000000715A3000-memory.dmpFilesize
8KB
-
memory/1084-59-0x000000002FF31000-0x000000002FF34000-memory.dmpFilesize
12KB
-
memory/1704-73-0x000000000040CD2F-mapping.dmp
-
memory/1704-84-0x0000000001F30000-0x0000000001F7D000-memory.dmpFilesize
308KB
-
memory/1704-85-0x0000000004710000-0x000000000475C000-memory.dmpFilesize
304KB
-
memory/1704-87-0x0000000004871000-0x0000000004872000-memory.dmpFilesize
4KB
-
memory/1704-89-0x0000000004872000-0x0000000004873000-memory.dmpFilesize
4KB
-
memory/1704-72-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1704-86-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1704-90-0x0000000004873000-0x0000000004874000-memory.dmpFilesize
4KB
-
memory/1704-91-0x0000000004874000-0x0000000004876000-memory.dmpFilesize
8KB