Analysis
-
max time kernel
131s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 13:28
Static task
static1
Behavioral task
behavioral1
Sample
DELIVERY FOLLOW UP.XLSX.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
DELIVERY FOLLOW UP.XLSX.exe
Resource
win10-en-20211014
General
-
Target
DELIVERY FOLLOW UP.XLSX.exe
-
Size
481KB
-
MD5
75c0f9a2900015e3b9ab6b5433706786
-
SHA1
787a8a7cd60f220e41b0aed7605db324c06dc786
-
SHA256
d794df300789db006c10efb29a8cd2683c72070312700eff88f82e40c5548667
-
SHA512
e13e8d0fb150a033f9a1e5544a25494fec5f3fb8476d80c0c3fcd45399a44c269a79c40bcc443fe3efd6b595c898b06e714996b36a1076034ca29075ac09d6ec
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bulletproofprotections.com - Port:
587 - Username:
account@bulletproofprotections.com - Password:
Everest10account
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4528-124-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/4528-125-0x000000000043779E-mapping.dmp family_agenttesla behavioral2/memory/4528-130-0x00000000051B0000-0x00000000056AE000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
DELIVERY FOLLOW UP.XLSX.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts DELIVERY FOLLOW UP.XLSX.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DELIVERY FOLLOW UP.XLSX.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DELIVERY FOLLOW UP.XLSX.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DELIVERY FOLLOW UP.XLSX.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DELIVERY FOLLOW UP.XLSX.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DELIVERY FOLLOW UP.XLSX.exedescription pid process target process PID 4372 set thread context of 4528 4372 DELIVERY FOLLOW UP.XLSX.exe DELIVERY FOLLOW UP.XLSX.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3408 4528 WerFault.exe DELIVERY FOLLOW UP.XLSX.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
DELIVERY FOLLOW UP.XLSX.exeWerFault.exepid process 4528 DELIVERY FOLLOW UP.XLSX.exe 4528 DELIVERY FOLLOW UP.XLSX.exe 3408 WerFault.exe 3408 WerFault.exe 3408 WerFault.exe 3408 WerFault.exe 3408 WerFault.exe 3408 WerFault.exe 3408 WerFault.exe 3408 WerFault.exe 3408 WerFault.exe 3408 WerFault.exe 3408 WerFault.exe 3408 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
DELIVERY FOLLOW UP.XLSX.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4528 DELIVERY FOLLOW UP.XLSX.exe Token: SeRestorePrivilege 3408 WerFault.exe Token: SeBackupPrivilege 3408 WerFault.exe Token: SeDebugPrivilege 3408 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
DELIVERY FOLLOW UP.XLSX.exedescription pid process target process PID 4372 wrote to memory of 4528 4372 DELIVERY FOLLOW UP.XLSX.exe DELIVERY FOLLOW UP.XLSX.exe PID 4372 wrote to memory of 4528 4372 DELIVERY FOLLOW UP.XLSX.exe DELIVERY FOLLOW UP.XLSX.exe PID 4372 wrote to memory of 4528 4372 DELIVERY FOLLOW UP.XLSX.exe DELIVERY FOLLOW UP.XLSX.exe PID 4372 wrote to memory of 4528 4372 DELIVERY FOLLOW UP.XLSX.exe DELIVERY FOLLOW UP.XLSX.exe PID 4372 wrote to memory of 4528 4372 DELIVERY FOLLOW UP.XLSX.exe DELIVERY FOLLOW UP.XLSX.exe PID 4372 wrote to memory of 4528 4372 DELIVERY FOLLOW UP.XLSX.exe DELIVERY FOLLOW UP.XLSX.exe PID 4372 wrote to memory of 4528 4372 DELIVERY FOLLOW UP.XLSX.exe DELIVERY FOLLOW UP.XLSX.exe PID 4372 wrote to memory of 4528 4372 DELIVERY FOLLOW UP.XLSX.exe DELIVERY FOLLOW UP.XLSX.exe -
outlook_office_path 1 IoCs
Processes:
DELIVERY FOLLOW UP.XLSX.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DELIVERY FOLLOW UP.XLSX.exe -
outlook_win_path 1 IoCs
Processes:
DELIVERY FOLLOW UP.XLSX.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DELIVERY FOLLOW UP.XLSX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DELIVERY FOLLOW UP.XLSX.exe"C:\Users\Admin\AppData\Local\Temp\DELIVERY FOLLOW UP.XLSX.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DELIVERY FOLLOW UP.XLSX.exe"C:\Users\Admin\AppData\Local\Temp\DELIVERY FOLLOW UP.XLSX.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 13843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4372-115-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/4372-117-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/4372-118-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/4372-119-0x0000000005320000-0x000000000581E000-memory.dmpFilesize
5.0MB
-
memory/4372-120-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/4372-121-0x0000000005300000-0x0000000005307000-memory.dmpFilesize
28KB
-
memory/4372-122-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/4372-123-0x00000000060E0000-0x0000000006138000-memory.dmpFilesize
352KB
-
memory/4528-124-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4528-125-0x000000000043779E-mapping.dmp
-
memory/4528-130-0x00000000051B0000-0x00000000056AE000-memory.dmpFilesize
5.0MB
-
memory/4528-131-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/4528-132-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB