Overview

overview

10

Static

static

Proforma Invoice.xlsx

windows7-x64

10

Proforma Invoice.xlsx

windows10-2004-x64

1

Resubmissions

04-10-2022 04:22

221004-ezptgscag5 8

30-09-2022 10:32

220930-mkzddaebfk 10

Analysis

  • max time kernel
    100s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proforma Invoice.xlsx

  • Size

    172KB

  • MD5

    95e19466dba964821434b337d9c4623a

  • SHA1

    813808c45b1733728bd1f8a7547bf39bb7a3637b

  • SHA256

    37ce0c89e3dcc1f432d69facdcd0abfbacbba1e2810cefa37d7944e91a2d6954

  • SHA512

    101c7c00cc30cdee32db1bce721cef981a48c622601a01f09570e9dcf0777ff5cc08047e31281635adb045fd4366cbf7daf6fc5e919c6d02aaa8ac362d3d271a

  • SSDEEP

    3072:8dyqdgB44y6C/coHz39mV6DM7DKPbrgNx8vTORZHghmOMxzsK:pLBBy64fmVIuKjvkZHBtzj

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.eserkaynak.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    373706eser

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.xlsx"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1764
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Public\regasm_svch.exe
      "C:\Users\Public\regasm_svch.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
          PID:1544
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          3⤵
          • Drops file in Drivers directory
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1832

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\regasm_svch.exe
      Filesize

      904KB

      MD5

      d3c0fb59c51740ef2e9a3622d0116ed5

      SHA1

      e74cf457079bf8d23be281478c15e48b0a87040e

      SHA256

      3636db617b2526ea23da01df092289b09738f54ac9c3fd681b16b4a3bcd15a15

      SHA512

      d983bdcb47851331f5fe52dcc06e213cfe5b63584d099e473a4f4a405cb47e0c56fb1d00a3ec80e38dac41e8567fea956ebd9a81ce0691ca7cb5835128d7bce4

      Download Submit

    • C:\Users\Public\regasm_svch.exe
      Filesize

      904KB

      MD5

      d3c0fb59c51740ef2e9a3622d0116ed5

      SHA1

      e74cf457079bf8d23be281478c15e48b0a87040e

      SHA256

      3636db617b2526ea23da01df092289b09738f54ac9c3fd681b16b4a3bcd15a15

      SHA512

      d983bdcb47851331f5fe52dcc06e213cfe5b63584d099e473a4f4a405cb47e0c56fb1d00a3ec80e38dac41e8567fea956ebd9a81ce0691ca7cb5835128d7bce4

      Download Submit

    • \Users\Public\regasm_svch.exe
      Filesize

      904KB

      MD5

      d3c0fb59c51740ef2e9a3622d0116ed5

      SHA1

      e74cf457079bf8d23be281478c15e48b0a87040e

      SHA256

      3636db617b2526ea23da01df092289b09738f54ac9c3fd681b16b4a3bcd15a15

      SHA512

      d983bdcb47851331f5fe52dcc06e213cfe5b63584d099e473a4f4a405cb47e0c56fb1d00a3ec80e38dac41e8567fea956ebd9a81ce0691ca7cb5835128d7bce4

      Download Submit

    • memory/520-68-0x0000000005710000-0x0000000005792000-memory.dmp

      Filesize

      520KB

      Download

    • memory/520-61-0x0000000000000000-mapping.dmp

      Download

    • memory/520-64-0x0000000000EB0000-0x0000000000F98000-memory.dmp

      Filesize

      928KB

      Download

    • memory/520-67-0x0000000000320000-0x0000000000340000-memory.dmp

      Filesize

      128KB

      Download

    • memory/520-69-0x0000000000850000-0x000000000088A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1764-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1764-57-0x00000000727AD000-0x00000000727B8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1764-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1764-55-0x00000000717C1000-0x00000000717C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1764-66-0x00000000727AD000-0x00000000727B8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1764-54-0x000000002FAB1000-0x000000002FAB4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1764-58-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1764-83-0x00000000727AD000-0x00000000727B8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1832-70-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1832-74-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1832-75-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1832-76-0x0000000000435AEE-mapping.dmp

      Download

    • memory/1832-78-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1832-80-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1832-73-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1832-71-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download