Overview

overview

10

Static

static

items 001.xlsm.exe

windows7_x64

10

items 001.xlsm.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    items 001.xlsm.exe

  • Size

    859KB

  • MD5

    fb7e94850448226bd2a498aa3b1563ea

  • SHA1

    d700879ce59f46b7a774db6e4cb106245971e235

  • SHA256

    2a4411192b4d6c488f67079fa17e4c245825df49a8858fadd887dd616ab1c0a3

  • SHA512

    d43314e5e70070127c60813c026a928f5ee76fd92c94dee516adf6104b59337585fcab030e9678eb2447e67f1e9f355b7c20dc669569f8b1f164feb5dca6c631

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.villanika.gr
  • Port:
    587
  • Username:
    info@villanika.gr
  • Password:
    n2^-9wE@Wl}t

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\items 001.xlsm.exe
    "C:\Users\Admin\AppData\Local\Temp\items 001.xlsm.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
          PID:4712
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          3⤵
            PID:3732
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "{path}"
            3⤵
            • Drops file in Drivers directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4540
            • C:\Windows\SysWOW64\REG.exe
              REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              4⤵
              • Modifies registry key
              PID:4148
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1480
              4⤵
              • Program crash
              PID:3708
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 4540
        1⤵
          PID:4980

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
          Filesize

          1KB

          MD5

          400f1cc1a0a0ce1cdabda365ab3368ce

          SHA1

          1ecf683f14271d84f3b6063493dce00ff5f42075

          SHA256

          c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

          SHA512

          14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

          Download Submit
        • memory/1200-130-0x00000000009A0000-0x0000000000A7E000-memory.dmp
          Filesize

          888KB

          Download
        • memory/1200-131-0x000000000AEF0000-0x000000000B494000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/1200-132-0x000000000A940000-0x000000000A9D2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/1200-133-0x00000000053E0000-0x00000000053EA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1200-134-0x0000000005660000-0x00000000056FC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/1648-146-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-155-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-139-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-140-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-141-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-142-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-143-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-144-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-136-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-147-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-149-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-151-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-152-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-138-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-157-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-158-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-160-0x0000000000400000-0x0000000000488000-memory.dmp
          Filesize

          544KB

          Download
        • memory/1648-135-0x0000000000000000-mapping.dmp
          Download
        • memory/3732-162-0x0000000000000000-mapping.dmp
          Download
        • memory/4148-167-0x0000000000000000-mapping.dmp
          Download
        • memory/4540-163-0x0000000000000000-mapping.dmp
          Download
        • memory/4540-164-0x0000000000400000-0x0000000000452000-memory.dmp
          Filesize

          328KB

          Download
        • memory/4540-166-0x0000000005DC0000-0x0000000005E26000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4540-168-0x0000000006210000-0x0000000006260000-memory.dmp
          Filesize

          320KB

          Download
        • memory/4712-161-0x0000000000000000-mapping.dmp
          Download