Analysis
-
max time kernel
100s -
max time network
46s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 07:50
Static task
static1
Behavioral task
behavioral1
Sample
US 74,100.50 .xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
US 74,100.50 .xlsx
Resource
win10v20210410
General
-
Target
US 74,100.50 .xlsx
-
Size
1.1MB
-
MD5
b8e12d23fa9780efb407c51dd8a3767f
-
SHA1
110487c60cd6507687a5d93b9fa2ce6e5dbd46b7
-
SHA256
92f98059db2e215ef3ff991be89504eafea4e08c66753c9a480d03cdb0b9add9
-
SHA512
01d11839f2339188490b518fd66baf7840c0b48d91891828107b74aa5e2ec9c5df0c8bb7b2a091e025ebbf62de47e73b7692fab62e1a9b4ee78e992cff4d0053
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cisburo.com - Port:
587 - Username:
elie@cisburo.com - Password:
Essaab1967#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-80-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2040-81-0x00000000004375EE-mapping.dmp family_agenttesla behavioral1/memory/2040-83-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1676 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1760 vbc.exe 2040 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1676 EQNEDT32.EXE 1676 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1760 set thread context of 2040 1760 vbc.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2032 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exevbc.exepid process 1760 vbc.exe 2040 vbc.exe 2040 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exevbc.exedescription pid process Token: SeDebugPrivilege 1760 vbc.exe Token: SeDebugPrivilege 2040 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2032 EXCEL.EXE 2032 EXCEL.EXE 2032 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1676 wrote to memory of 1760 1676 EQNEDT32.EXE vbc.exe PID 1676 wrote to memory of 1760 1676 EQNEDT32.EXE vbc.exe PID 1676 wrote to memory of 1760 1676 EQNEDT32.EXE vbc.exe PID 1676 wrote to memory of 1760 1676 EQNEDT32.EXE vbc.exe PID 1760 wrote to memory of 1864 1760 vbc.exe schtasks.exe PID 1760 wrote to memory of 1864 1760 vbc.exe schtasks.exe PID 1760 wrote to memory of 1864 1760 vbc.exe schtasks.exe PID 1760 wrote to memory of 1864 1760 vbc.exe schtasks.exe PID 1760 wrote to memory of 2040 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 2040 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 2040 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 2040 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 2040 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 2040 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 2040 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 2040 1760 vbc.exe vbc.exe PID 1760 wrote to memory of 2040 1760 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\US 74,100.50 .xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tnSAYdHPXvYHNv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCA9.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDCA9.tmpMD5
1604f75bfe2dd9d41d09ff62a6f81689
SHA19f8fc57042c7b600dd085877072202a72653eb09
SHA25641a81af3cab9604bdfdfe5d971ea57d4d546601b960744dbac2881c6f88ca2cf
SHA512b12d621f1cdca585e4ddae44ff235c704c4ba13a87b791a73dcd04629af9c9fbb5ee8e9aed5b4b7405789d16926a9cac14a8ee82acb941b5fca7865511fb81c2
-
C:\Users\Public\vbc.exeMD5
91be015e2c0c979a2a5b84fc81164538
SHA114b768716368e0dbbd188d2aad80eaff8340f912
SHA25625ed1a3e7245151fbb0d15d7561a97be5d29c6571a8d6ccacfbaac4f22577f60
SHA512adc479641a712764b71f26bc6f3f00c8e2959f29f645e8ed68a115a84afe583d7c72dcb47b99dc09007608c21cda27c99bc9946d3685fe486689dd8b4dd96c85
-
C:\Users\Public\vbc.exeMD5
91be015e2c0c979a2a5b84fc81164538
SHA114b768716368e0dbbd188d2aad80eaff8340f912
SHA25625ed1a3e7245151fbb0d15d7561a97be5d29c6571a8d6ccacfbaac4f22577f60
SHA512adc479641a712764b71f26bc6f3f00c8e2959f29f645e8ed68a115a84afe583d7c72dcb47b99dc09007608c21cda27c99bc9946d3685fe486689dd8b4dd96c85
-
C:\Users\Public\vbc.exeMD5
91be015e2c0c979a2a5b84fc81164538
SHA114b768716368e0dbbd188d2aad80eaff8340f912
SHA25625ed1a3e7245151fbb0d15d7561a97be5d29c6571a8d6ccacfbaac4f22577f60
SHA512adc479641a712764b71f26bc6f3f00c8e2959f29f645e8ed68a115a84afe583d7c72dcb47b99dc09007608c21cda27c99bc9946d3685fe486689dd8b4dd96c85
-
\Users\Public\vbc.exeMD5
91be015e2c0c979a2a5b84fc81164538
SHA114b768716368e0dbbd188d2aad80eaff8340f912
SHA25625ed1a3e7245151fbb0d15d7561a97be5d29c6571a8d6ccacfbaac4f22577f60
SHA512adc479641a712764b71f26bc6f3f00c8e2959f29f645e8ed68a115a84afe583d7c72dcb47b99dc09007608c21cda27c99bc9946d3685fe486689dd8b4dd96c85
-
\Users\Public\vbc.exeMD5
91be015e2c0c979a2a5b84fc81164538
SHA114b768716368e0dbbd188d2aad80eaff8340f912
SHA25625ed1a3e7245151fbb0d15d7561a97be5d29c6571a8d6ccacfbaac4f22577f60
SHA512adc479641a712764b71f26bc6f3f00c8e2959f29f645e8ed68a115a84afe583d7c72dcb47b99dc09007608c21cda27c99bc9946d3685fe486689dd8b4dd96c85
-
memory/1676-63-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1760-66-0x0000000000000000-mapping.dmp
-
memory/1760-76-0x0000000005030000-0x00000000050AE000-memory.dmpFilesize
504KB
-
memory/1760-69-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/1760-71-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/1760-72-0x0000000000400000-0x0000000000402000-memory.dmpFilesize
8KB
-
memory/1760-77-0x0000000004C60000-0x0000000004C9B000-memory.dmpFilesize
236KB
-
memory/1864-78-0x0000000000000000-mapping.dmp
-
memory/2032-74-0x00000000060E0000-0x0000000006D2A000-memory.dmpFilesize
12.3MB
-
memory/2032-73-0x00000000060E0000-0x0000000006D2A000-memory.dmpFilesize
12.3MB
-
memory/2032-75-0x00000000060E0000-0x0000000006D2A000-memory.dmpFilesize
12.3MB
-
memory/2032-60-0x000000002F691000-0x000000002F694000-memory.dmpFilesize
12KB
-
memory/2032-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2032-61-0x0000000070F81000-0x0000000070F83000-memory.dmpFilesize
8KB
-
memory/2032-86-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2040-80-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2040-81-0x00000000004375EE-mapping.dmp
-
memory/2040-83-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2040-85-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB