Analysis
-
max time kernel
125s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 11:10
Static task
static1
Behavioral task
behavioral1
Sample
presupuesto.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
presupuesto.xlsx
Resource
win10v20210408
General
-
Target
presupuesto.xlsx
-
Size
1.6MB
-
MD5
0c44a9fa4ce2184c319d7d2b1dc6e319
-
SHA1
fb24049452c8a31eab37ef00099b0604bd40cd95
-
SHA256
8c7d8fc2a97430056c231bcc2e3601fd27718e08c105171175789a6d86921cea
-
SHA512
a823ed02ed0129d55711b401ad175f877d4828e3c1040cad5cb83f04742d32ecf7b988ab8ba208af8f3a9226381377f953b1ca1bfdd22c96bda364c1ba13ca92
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.kaeiser.com - Port:
587 - Username:
sergio.arroyo@kaeiser.com - Password:
QIErWCn3
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/832-75-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/832-76-0x00000000004375EE-mapping.dmp family_agenttesla behavioral1/memory/832-78-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 2036 EQNEDT32.EXE 9 2036 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 904 vbc.exe 832 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2036 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 904 set thread context of 832 904 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1096 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 832 vbc.exe 832 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 832 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1096 EXCEL.EXE 1096 EXCEL.EXE 1096 EXCEL.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 2036 wrote to memory of 904 2036 EQNEDT32.EXE vbc.exe PID 2036 wrote to memory of 904 2036 EQNEDT32.EXE vbc.exe PID 2036 wrote to memory of 904 2036 EQNEDT32.EXE vbc.exe PID 2036 wrote to memory of 904 2036 EQNEDT32.EXE vbc.exe PID 904 wrote to memory of 832 904 vbc.exe vbc.exe PID 904 wrote to memory of 832 904 vbc.exe vbc.exe PID 904 wrote to memory of 832 904 vbc.exe vbc.exe PID 904 wrote to memory of 832 904 vbc.exe vbc.exe PID 904 wrote to memory of 832 904 vbc.exe vbc.exe PID 904 wrote to memory of 832 904 vbc.exe vbc.exe PID 904 wrote to memory of 832 904 vbc.exe vbc.exe PID 904 wrote to memory of 832 904 vbc.exe vbc.exe PID 904 wrote to memory of 832 904 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\presupuesto.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
4c73eb0cc8484548f61fc47dbda9ce79
SHA1f2fb44b8f77faa60883c615d355aebe67fcb5b7a
SHA256e362a12bb6f319448ea193d84be1c4bf36f0c44f6e1229136d618ad4fb072fca
SHA512ad87cf5504fefe90c5f8e047606e9ea9ac19bfd6f855560507c1ebebde24ca338b4d563f7a537578b7a1779e5cfb36d30a14fea934a257cf3d93bb6ab318e364
-
C:\Users\Public\vbc.exeMD5
4c73eb0cc8484548f61fc47dbda9ce79
SHA1f2fb44b8f77faa60883c615d355aebe67fcb5b7a
SHA256e362a12bb6f319448ea193d84be1c4bf36f0c44f6e1229136d618ad4fb072fca
SHA512ad87cf5504fefe90c5f8e047606e9ea9ac19bfd6f855560507c1ebebde24ca338b4d563f7a537578b7a1779e5cfb36d30a14fea934a257cf3d93bb6ab318e364
-
C:\Users\Public\vbc.exeMD5
4c73eb0cc8484548f61fc47dbda9ce79
SHA1f2fb44b8f77faa60883c615d355aebe67fcb5b7a
SHA256e362a12bb6f319448ea193d84be1c4bf36f0c44f6e1229136d618ad4fb072fca
SHA512ad87cf5504fefe90c5f8e047606e9ea9ac19bfd6f855560507c1ebebde24ca338b4d563f7a537578b7a1779e5cfb36d30a14fea934a257cf3d93bb6ab318e364
-
\Users\Public\vbc.exeMD5
4c73eb0cc8484548f61fc47dbda9ce79
SHA1f2fb44b8f77faa60883c615d355aebe67fcb5b7a
SHA256e362a12bb6f319448ea193d84be1c4bf36f0c44f6e1229136d618ad4fb072fca
SHA512ad87cf5504fefe90c5f8e047606e9ea9ac19bfd6f855560507c1ebebde24ca338b4d563f7a537578b7a1779e5cfb36d30a14fea934a257cf3d93bb6ab318e364
-
memory/832-75-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/832-80-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/832-78-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/832-76-0x00000000004375EE-mapping.dmp
-
memory/904-68-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/904-70-0x0000000000370000-0x0000000000374000-memory.dmpFilesize
16KB
-
memory/904-71-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/904-73-0x00000000052E0000-0x00000000053AA000-memory.dmpFilesize
808KB
-
memory/904-74-0x0000000004B00000-0x0000000004B91000-memory.dmpFilesize
580KB
-
memory/904-65-0x0000000000000000-mapping.dmp
-
memory/1096-72-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1096-60-0x000000002FBC1000-0x000000002FBC4000-memory.dmpFilesize
12KB
-
memory/1096-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1096-61-0x0000000070EB1000-0x0000000070EB3000-memory.dmpFilesize
8KB
-
memory/2036-63-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB