Overview

overview

10

Static

static

1

Order 2550619.xls

windows7-x64

10

Order 2550619.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    102s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-03-2023 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order 2550619.xls

  • Size

    1.7MB

  • MD5

    ab0e612c9439b82195398504a698adee

  • SHA1

    70c4113ed426af85cc7c5e37b35f8f061c15c5f0

  • SHA256

    9134e36de0aacecf0cab994a307c42bd76a067d032545e74328d1c29c6389ebd

  • SHA512

    90741688665e6fa8c9a91b63ebaa956ad366cb268436034c19e7e133d8d564c1e95c6cacdc76ef5196adcb665ebe4a0bfa6383c3f996a9ec6b56c1472be02c3e

  • SSDEEP

    49152:hLKe3Z7sQmmQ30d727UQmmQ30R6Nn1h9DB6GOLD5:lhspmQkl6UpmQkR6rhPON

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Order 2550619.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1348
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:268
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lSteHNIdlDCTPX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA14F.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1028
      • C:\Users\Public\vbc.exe
        "{path}"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F7B7862.emf
    Filesize

    34KB

    MD5

    f53cee6b317076f44af7fbdc9f3c644d

    SHA1

    12209508543ffcf41e0ff2d3abc7a1fcf660cd7a

    SHA256

    af99c490e853fcb42826343dc5fcc33e9027e472c2f99f6f1834bf876d802ec6

    SHA512

    79bceaad14da4e777adbc38bb6b4c7023e17b2ec66ae01695af43fef0f944bce2eb28e97f6f7921efb930328e9e66eee078b0d75012a209c38de1a115d7862ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE44FAA5.emf
    Filesize

    577KB

    MD5

    76832c33f8bdf8376a336952cb27a79d

    SHA1

    9983aba5d494b02fafdb584e5f6b3a410aee4e55

    SHA256

    4d7e728bdf4f25dcdb803a888a678beef9c240a1d991e93129473624c57b0774

    SHA512

    c508c335514abf4fe51915e19978512848b076c1910ca496b55ae6f103f53aed65b87d685d0ca4d65f48a413f4332ae335b13edea4fb815e74a548c7a375d854

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpA14F.tmp
    Filesize

    1KB

    MD5

    ddc21f84752ca2c625d08e610dc98782

    SHA1

    02760ce53a975a71de3a73ba4540a297975123e5

    SHA256

    60e58fd3358abd3c9ee3e547c6b6edda3bfe8a831b0e3cf8ede581916ab4c247

    SHA512

    7a309aa0ef15aca91bc1f9760af3ad4c226d71b8ce27c91019fd83686244386baf4b6508d76e266886d9401db54a6b3339a83b4ff5fa471ecb21d24a9e6de073

    Download Submit

  • C:\Users\Public\vbc.exe
    Filesize

    820KB

    MD5

    a1dd43a9d43a94f384c3cbbec7c36a1d

    SHA1

    3eaa76904b6a3793d66163bd58f02c72686e3f81

    SHA256

    b5e68dfde79862fb107a9372253b79ea46d5e615062ad22e4e10bf3b03d125ac

    SHA512

    7fc66b95d0f5586803bf1387b5ba2343aa1118f9f1769d5578711ca77d10a35391b112c1762832b418f1d39b02ed7a521fa860a73b63beb3558f11efa1f6d12d

    Download Submit

  • C:\Users\Public\vbc.exe
    Filesize

    820KB

    MD5

    a1dd43a9d43a94f384c3cbbec7c36a1d

    SHA1

    3eaa76904b6a3793d66163bd58f02c72686e3f81

    SHA256

    b5e68dfde79862fb107a9372253b79ea46d5e615062ad22e4e10bf3b03d125ac

    SHA512

    7fc66b95d0f5586803bf1387b5ba2343aa1118f9f1769d5578711ca77d10a35391b112c1762832b418f1d39b02ed7a521fa860a73b63beb3558f11efa1f6d12d

    Download Submit

  • C:\Users\Public\vbc.exe
    Filesize

    820KB

    MD5

    a1dd43a9d43a94f384c3cbbec7c36a1d

    SHA1

    3eaa76904b6a3793d66163bd58f02c72686e3f81

    SHA256

    b5e68dfde79862fb107a9372253b79ea46d5e615062ad22e4e10bf3b03d125ac

    SHA512

    7fc66b95d0f5586803bf1387b5ba2343aa1118f9f1769d5578711ca77d10a35391b112c1762832b418f1d39b02ed7a521fa860a73b63beb3558f11efa1f6d12d

    Download Submit

  • C:\Users\Public\vbc.exe
    Filesize

    820KB

    MD5

    a1dd43a9d43a94f384c3cbbec7c36a1d

    SHA1

    3eaa76904b6a3793d66163bd58f02c72686e3f81

    SHA256

    b5e68dfde79862fb107a9372253b79ea46d5e615062ad22e4e10bf3b03d125ac

    SHA512

    7fc66b95d0f5586803bf1387b5ba2343aa1118f9f1769d5578711ca77d10a35391b112c1762832b418f1d39b02ed7a521fa860a73b63beb3558f11efa1f6d12d

    Download Submit

  • \Users\Public\vbc.exe
    Filesize

    820KB

    MD5

    a1dd43a9d43a94f384c3cbbec7c36a1d

    SHA1

    3eaa76904b6a3793d66163bd58f02c72686e3f81

    SHA256

    b5e68dfde79862fb107a9372253b79ea46d5e615062ad22e4e10bf3b03d125ac

    SHA512

    7fc66b95d0f5586803bf1387b5ba2343aa1118f9f1769d5578711ca77d10a35391b112c1762832b418f1d39b02ed7a521fa860a73b63beb3558f11efa1f6d12d

    Download Submit

  • memory/1060-79-0x0000000004FE0000-0x0000000005020000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1060-80-0x0000000005140000-0x00000000051B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1060-81-0x0000000002190000-0x00000000021C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1060-78-0x0000000000560000-0x000000000056E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1060-76-0x0000000004FE0000-0x0000000005020000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1060-75-0x0000000000C50000-0x0000000000D24000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1348-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1348-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2008-85-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2008-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2008-90-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2008-93-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2008-95-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2008-96-0x00000000003A0000-0x00000000003E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2008-98-0x00000000003A0000-0x00000000003E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2008-88-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2008-87-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2008-86-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download