Analysis
-
max time kernel
147s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-07-2021 09:26
Static task
static1
Behavioral task
behavioral1
Sample
Invoice#P.O474746.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Invoice#P.O474746.xlsx
Resource
win10v20210408
General
-
Target
Invoice#P.O474746.xlsx
-
Size
602KB
-
MD5
80126b0c7190360c63cdfc0b57839920
-
SHA1
191ffb490653ca129ed7fe603f2d7734d3d0c157
-
SHA256
dae10b4be19f81707d8c9b2fab7539a0f5a9c82ef37f5c0ee3500c161c68fb20
-
SHA512
6ccb4cf91abfa2693b79099d9e498aa24658fb1a5c6f85420487fa8998208fc6ac9caf4ca1053179e0c331cabaf411607a8e0344654c920f67d991b0a6fa0979
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.simpleitalian.com.au - Port:
587 - Username:
[email protected] - Password:
SIpassword101$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1628-73-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1628-74-0x00000000004374CE-mapping.dmp family_agenttesla behavioral1/memory/1628-76-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/300-70-0x0000000000330000-0x000000000033B000-memory.dmp CustAttr -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1732 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
ashlye51.exeashlye51.exepid process 300 ashlye51.exe 1628 ashlye51.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1732 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ashlye51.exedescription pid process target process PID 300 set thread context of 1628 300 ashlye51.exe ashlye51.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1996 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ashlye51.exepid process 1628 ashlye51.exe 1628 ashlye51.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ashlye51.exedescription pid process Token: SeDebugPrivilege 1628 ashlye51.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1996 EXCEL.EXE 1996 EXCEL.EXE 1996 EXCEL.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
EQNEDT32.EXEashlye51.exedescription pid process target process PID 1732 wrote to memory of 300 1732 EQNEDT32.EXE ashlye51.exe PID 1732 wrote to memory of 300 1732 EQNEDT32.EXE ashlye51.exe PID 1732 wrote to memory of 300 1732 EQNEDT32.EXE ashlye51.exe PID 1732 wrote to memory of 300 1732 EQNEDT32.EXE ashlye51.exe PID 300 wrote to memory of 1628 300 ashlye51.exe ashlye51.exe PID 300 wrote to memory of 1628 300 ashlye51.exe ashlye51.exe PID 300 wrote to memory of 1628 300 ashlye51.exe ashlye51.exe PID 300 wrote to memory of 1628 300 ashlye51.exe ashlye51.exe PID 300 wrote to memory of 1628 300 ashlye51.exe ashlye51.exe PID 300 wrote to memory of 1628 300 ashlye51.exe ashlye51.exe PID 300 wrote to memory of 1628 300 ashlye51.exe ashlye51.exe PID 300 wrote to memory of 1628 300 ashlye51.exe ashlye51.exe PID 300 wrote to memory of 1628 300 ashlye51.exe ashlye51.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice#P.O474746.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ashlye51.exe"C:\Users\Admin\AppData\Roaming\ashlye51.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ashlye51.exe"C:\Users\Admin\AppData\Roaming\ashlye51.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ashlye51.exeMD5
dfcca1c0512fb60c55bc167340b8e653
SHA195931116c675f2b616c169c2bd62af810751ce22
SHA256d2ac9d14c748cb3068f47fb3b8e0c30466f14a706eb17737b9122a8f8a023f0c
SHA512e76a9c15f77173ea568b912260ff970420dbdd962d46fc2575491257cd45a684c2f0577eafc15aa693c6fe46738487a86b64933c2c17ea062ebdf96fe7ec080e
-
C:\Users\Admin\AppData\Roaming\ashlye51.exeMD5
dfcca1c0512fb60c55bc167340b8e653
SHA195931116c675f2b616c169c2bd62af810751ce22
SHA256d2ac9d14c748cb3068f47fb3b8e0c30466f14a706eb17737b9122a8f8a023f0c
SHA512e76a9c15f77173ea568b912260ff970420dbdd962d46fc2575491257cd45a684c2f0577eafc15aa693c6fe46738487a86b64933c2c17ea062ebdf96fe7ec080e
-
C:\Users\Admin\AppData\Roaming\ashlye51.exeMD5
dfcca1c0512fb60c55bc167340b8e653
SHA195931116c675f2b616c169c2bd62af810751ce22
SHA256d2ac9d14c748cb3068f47fb3b8e0c30466f14a706eb17737b9122a8f8a023f0c
SHA512e76a9c15f77173ea568b912260ff970420dbdd962d46fc2575491257cd45a684c2f0577eafc15aa693c6fe46738487a86b64933c2c17ea062ebdf96fe7ec080e
-
\Users\Admin\AppData\Roaming\ashlye51.exeMD5
dfcca1c0512fb60c55bc167340b8e653
SHA195931116c675f2b616c169c2bd62af810751ce22
SHA256d2ac9d14c748cb3068f47fb3b8e0c30466f14a706eb17737b9122a8f8a023f0c
SHA512e76a9c15f77173ea568b912260ff970420dbdd962d46fc2575491257cd45a684c2f0577eafc15aa693c6fe46738487a86b64933c2c17ea062ebdf96fe7ec080e
-
memory/300-70-0x0000000000330000-0x000000000033B000-memory.dmpFilesize
44KB
-
memory/300-71-0x0000000004DB0000-0x0000000004E2B000-memory.dmpFilesize
492KB
-
memory/300-72-0x00000000004A0000-0x00000000004DD000-memory.dmpFilesize
244KB
-
memory/300-64-0x0000000000000000-mapping.dmp
-
memory/300-67-0x0000000001320000-0x0000000001321000-memory.dmpFilesize
4KB
-
memory/300-69-0x00000000011C0000-0x00000000011C1000-memory.dmpFilesize
4KB
-
memory/1628-73-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1628-74-0x00000000004374CE-mapping.dmp
-
memory/1628-76-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1628-78-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/1628-80-0x0000000004BA1000-0x0000000004BA2000-memory.dmpFilesize
4KB
-
memory/1732-62-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/1996-59-0x000000002F561000-0x000000002F564000-memory.dmpFilesize
12KB
-
memory/1996-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1996-60-0x0000000070F91000-0x0000000070F93000-memory.dmpFilesize
8KB
-
memory/1996-79-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB