Analysis
-
max time kernel
106s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:46
Static task
static1
Behavioral task
behavioral1
Sample
P66 2020 master sheet.xlsx.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
P66 2020 master sheet.xlsx.exe
Resource
win10v2004-20220414-en
General
-
Target
P66 2020 master sheet.xlsx.exe
-
Size
695KB
-
MD5
07080c3aa5fd6d80e5681275ce15afb9
-
SHA1
75e09d1b4f40bea0b068ce79e407ba9b8e8e8ccd
-
SHA256
8580f9a8e64dff0c0d6ecbfe2b90642a972fa20bf91d1b4762ea2cc9c3433225
-
SHA512
d21099e5a4537ae609c28e1a2d2afbfbeb15ec9e947c8cc195c56a5fd5aa2b492ea2195521bdc20c6f43daefe59a1eddf7dcaa347501b3a9439a3b4f2f269c25
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mdist.us - Port:
587 - Username:
[email protected] - Password:
Receiving#4321
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3004-138-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
P66 2020 master sheet.xlsx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation P66 2020 master sheet.xlsx.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
P66 2020 master sheet.xlsx.exedescription pid process target process PID 4236 set thread context of 3004 4236 P66 2020 master sheet.xlsx.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
P66 2020 master sheet.xlsx.exeRegSvcs.exepid process 4236 P66 2020 master sheet.xlsx.exe 3004 RegSvcs.exe 3004 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
P66 2020 master sheet.xlsx.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4236 P66 2020 master sheet.xlsx.exe Token: SeDebugPrivilege 3004 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
P66 2020 master sheet.xlsx.exeRegSvcs.exedescription pid process target process PID 4236 wrote to memory of 2364 4236 P66 2020 master sheet.xlsx.exe schtasks.exe PID 4236 wrote to memory of 2364 4236 P66 2020 master sheet.xlsx.exe schtasks.exe PID 4236 wrote to memory of 2364 4236 P66 2020 master sheet.xlsx.exe schtasks.exe PID 4236 wrote to memory of 3004 4236 P66 2020 master sheet.xlsx.exe RegSvcs.exe PID 4236 wrote to memory of 3004 4236 P66 2020 master sheet.xlsx.exe RegSvcs.exe PID 4236 wrote to memory of 3004 4236 P66 2020 master sheet.xlsx.exe RegSvcs.exe PID 4236 wrote to memory of 3004 4236 P66 2020 master sheet.xlsx.exe RegSvcs.exe PID 4236 wrote to memory of 3004 4236 P66 2020 master sheet.xlsx.exe RegSvcs.exe PID 4236 wrote to memory of 3004 4236 P66 2020 master sheet.xlsx.exe RegSvcs.exe PID 4236 wrote to memory of 3004 4236 P66 2020 master sheet.xlsx.exe RegSvcs.exe PID 4236 wrote to memory of 3004 4236 P66 2020 master sheet.xlsx.exe RegSvcs.exe PID 3004 wrote to memory of 3852 3004 RegSvcs.exe REG.exe PID 3004 wrote to memory of 3852 3004 RegSvcs.exe REG.exe PID 3004 wrote to memory of 3852 3004 RegSvcs.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\P66 2020 master sheet.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\P66 2020 master sheet.xlsx.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IZfJGinQuOdm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7186.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7186.tmpFilesize
1KB
MD577931db14427334ad6610580c8c48ed1
SHA1938513dc0c1b3d915c05647651ce0e74d965841b
SHA25617f9be1a4fc0e6b042cca889c613006d6f0149fca9eaa268aa60f18e8e4ab26b
SHA51242d8af25763c48dd8e4bd1158f4469bb30be6a47307b7174d817f5221761234065cbc18b8125300e5234d6718de0e7d9a1db4c5a6d434f181bb3883df666d442
-
memory/2364-135-0x0000000000000000-mapping.dmp
-
memory/3004-139-0x0000000006780000-0x00000000067E6000-memory.dmpFilesize
408KB
-
memory/3004-137-0x0000000000000000-mapping.dmp
-
memory/3004-138-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3004-140-0x0000000006E90000-0x0000000006EE0000-memory.dmpFilesize
320KB
-
memory/3004-142-0x0000000006F80000-0x0000000006F8A000-memory.dmpFilesize
40KB
-
memory/3852-141-0x0000000000000000-mapping.dmp
-
memory/4236-133-0x00000000060E0000-0x0000000006266000-memory.dmpFilesize
1.5MB
-
memory/4236-134-0x0000000005A20000-0x0000000005ABC000-memory.dmpFilesize
624KB
-
memory/4236-132-0x0000000005580000-0x0000000005612000-memory.dmpFilesize
584KB
-
memory/4236-131-0x0000000005B30000-0x00000000060D4000-memory.dmpFilesize
5.6MB
-
memory/4236-130-0x0000000000A80000-0x0000000000B34000-memory.dmpFilesize
720KB