Overview

overview

10

Static

static

PI.xlsx

windows7-x64

10

PI.xlsx

windows10-2004-x64

5

Analysis

  • max time kernel
    108s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2022 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PI.xlsx

  • Size

    110KB

  • MD5

    f3fbcbf9a28dc9aa9c541e4d170ca71c

  • SHA1

    3da20744fb4ab31cbd6b5d8fedf1de8f9567b502

  • SHA256

    53c7bb8800c559d15b805410bf6f9d38b0a090f25e685c87c307c7509b8726e8

  • SHA512

    20b39da819591d0696c61cdb56da1653a3c5e8b612db47c757e483a720e08f0fc7a2b41441b3d87082edd0975052abf5630e1f1da20eb2410eb7f81c3cdb259f

Score
10/10
agentteslakeyloggerspywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • AgentTesla payload 6 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PI.xlsx
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1436
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
          PID:672
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          3⤵
          • Drops file in Drivers directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1964

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      Filesize

      867KB

      MD5

      79e7a3f1a29b974750e712bb9798b563

      SHA1

      214d44279e0d0aa8fb95c274b17acdababb3a4bc

      SHA256

      61cba6787b7b77223d400a3d8b348e0924b6d1f7ac1040a3ad52b80eee8f50f1

      SHA512

      5a450978184fccf702cfbae9f945e9a71e26eee178c47bacda96d10d4a21e5f9288023d5b757251dd8d74e7b98b27ae72cda184cacd0510952bb2d9368a57c6a

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      867KB

      MD5

      79e7a3f1a29b974750e712bb9798b563

      SHA1

      214d44279e0d0aa8fb95c274b17acdababb3a4bc

      SHA256

      61cba6787b7b77223d400a3d8b348e0924b6d1f7ac1040a3ad52b80eee8f50f1

      SHA512

      5a450978184fccf702cfbae9f945e9a71e26eee178c47bacda96d10d4a21e5f9288023d5b757251dd8d74e7b98b27ae72cda184cacd0510952bb2d9368a57c6a

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      867KB

      MD5

      79e7a3f1a29b974750e712bb9798b563

      SHA1

      214d44279e0d0aa8fb95c274b17acdababb3a4bc

      SHA256

      61cba6787b7b77223d400a3d8b348e0924b6d1f7ac1040a3ad52b80eee8f50f1

      SHA512

      5a450978184fccf702cfbae9f945e9a71e26eee178c47bacda96d10d4a21e5f9288023d5b757251dd8d74e7b98b27ae72cda184cacd0510952bb2d9368a57c6a

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      867KB

      MD5

      79e7a3f1a29b974750e712bb9798b563

      SHA1

      214d44279e0d0aa8fb95c274b17acdababb3a4bc

      SHA256

      61cba6787b7b77223d400a3d8b348e0924b6d1f7ac1040a3ad52b80eee8f50f1

      SHA512

      5a450978184fccf702cfbae9f945e9a71e26eee178c47bacda96d10d4a21e5f9288023d5b757251dd8d74e7b98b27ae72cda184cacd0510952bb2d9368a57c6a

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      867KB

      MD5

      79e7a3f1a29b974750e712bb9798b563

      SHA1

      214d44279e0d0aa8fb95c274b17acdababb3a4bc

      SHA256

      61cba6787b7b77223d400a3d8b348e0924b6d1f7ac1040a3ad52b80eee8f50f1

      SHA512

      5a450978184fccf702cfbae9f945e9a71e26eee178c47bacda96d10d4a21e5f9288023d5b757251dd8d74e7b98b27ae72cda184cacd0510952bb2d9368a57c6a

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      867KB

      MD5

      79e7a3f1a29b974750e712bb9798b563

      SHA1

      214d44279e0d0aa8fb95c274b17acdababb3a4bc

      SHA256

      61cba6787b7b77223d400a3d8b348e0924b6d1f7ac1040a3ad52b80eee8f50f1

      SHA512

      5a450978184fccf702cfbae9f945e9a71e26eee178c47bacda96d10d4a21e5f9288023d5b757251dd8d74e7b98b27ae72cda184cacd0510952bb2d9368a57c6a

      Download Submit
    • memory/1436-57-0x000000007266D000-0x0000000072678000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1436-58-0x0000000075661000-0x0000000075663000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1436-70-0x000000007266D000-0x0000000072678000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1436-86-0x000000007266D000-0x0000000072678000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1436-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1436-55-0x0000000071681000-0x0000000071683000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1436-54-0x000000002F751000-0x000000002F754000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1436-85-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1540-67-0x0000000001230000-0x0000000001310000-memory.dmp
      Filesize

      896KB

      Download
    • memory/1540-71-0x0000000005B80000-0x0000000005C02000-memory.dmp
      Filesize

      520KB

      Download
    • memory/1540-72-0x0000000000720000-0x000000000075C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1540-69-0x00000000004E0000-0x00000000004EA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1540-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1964-73-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1964-74-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1964-76-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1964-77-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1964-78-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1964-79-0x000000000043779E-mapping.dmp
      Download
    • memory/1964-81-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1964-83-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download