Overview

overview

10

Static

static

1

gunzipped.xls

windows7-x64

10

gunzipped.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2023, 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.xls

  • Size

    391KB

  • MD5

    2ac8a298c47d91f127ff8951e5e00fd4

  • SHA1

    bf41a1fb5658b33d886ddc20b7d424c6dbd91d15

  • SHA256

    49cbd743a040465d6757e0e5d408d674624053368967940cd8c51ac97925bfc8

  • SHA512

    856988af820bd0a102b4b917e2c66840d6c8f41f5adc45f21df11ccf95061ff8476fbc98a1a069a8d514f2ad903b1ace95d74e8781149c994df772b1b3a7494c

  • SSDEEP

    6144:Zn1m9kdbk71u+FZetJs0hdMJUXWDYWBXVH11IyqyLuJvsEKEY6Uvo:ZOee1CtqSdLWDYMZ1SFPsETYPvo

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.acc-engineering.xyz
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    chinonsonkechi22#

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\gunzipped.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2244
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2760
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        "C:\Users\Admin\AppData\Roaming\wlanext.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PyBQOQK.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2092
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PyBQOQK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E52.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:2332
        • C:\Users\Admin\AppData\Roaming\wlanext.exe
          "C:\Users\Admin\AppData\Roaming\wlanext.exe"
          3⤵
          • Executes dropped EXE
          PID:1092
        • C:\Users\Admin\AppData\Roaming\wlanext.exe
          "C:\Users\Admin\AppData\Roaming\wlanext.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      6f0c59753f56d33e71660b2375811597

      SHA1

      ae53aaca267354867c447e6f9fa13427e6e3e2aa

      SHA256

      0e9d50aa1c6411e3c6b00b00450faf1bb006e9fdad010a942cad3d9163d2bcdb

      SHA512

      745a7daccce0db2e26cfa02085e133e53c0db64c94bba177c1a8c290e770fffa9829eabadd59f0c31e65385cd0e9b5d8f859e43982ff301316aca7ba3b68c5be

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8A93C3B9-5F22-4A01-BC9D-F58AFD345342}.FSD
      Filesize

      128KB

      MD5

      233ef8dbb2d044d337c4b37bb4eeaf07

      SHA1

      3e2f47df8f7096a9ee24df6dba0beb40fa8c032e

      SHA256

      9fdae683801e9d87cf9c143f1f7febe9bd85349f5a463cb8268ffd1e4092d153

      SHA512

      7ceb52015442e9d039f806d18a1134a2ccbbc68f3855957a0f9002ec2abcd142333510c23419301d7d6a45882520c31b6bebee7a21d6656ae9ded9d8bdd43481

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      49fdff8510ae1f892a2f454e38bf3f2d

      SHA1

      5d75b116fdbf641d70a778564141c5694c43bf48

      SHA256

      e1efc1ac4b418cb71609f2bb8d1900916545730996d0d3b4a1001abad8e48a66

      SHA512

      773026deb536ba48c2bf42612d3b8a45328a9f3cc1f4cf1a32ad6046496d5c87157baf973607e4ba773e469261ad4817a333de283ac4b31f97afa0d3b51566fd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{50E76406-5ADC-45DD-9264-C269BFB0444F}.FSD
      Filesize

      128KB

      MD5

      d03472fae64ad0e3dd51d2cb1b3d75d3

      SHA1

      673ef9dbf1c8f4ef1b2df0d7d1747c9e24b9f810

      SHA256

      a8e75b66f615b29996b2c0f13ff4400377212bfa9c04e350c510a0fc19170515

      SHA512

      c10323462bf9de366630345a762f7f1bc6370b245f0c01e91c329db33b688f0dfa8cdd7fc6ad04e0d0bac59bebfb0a828a3896ac431bc2441c93fd1ddb1091d5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQGVC737\microsoftEdgedeletedentirehistorycachefromthepctoclean[1].doc
      Filesize

      58KB

      MD5

      ad19c30e8fc0f89004a1f960b477707f

      SHA1

      0bb59500525d0b45c506c7b4fab6c1d905ee3280

      SHA256

      395694b99ce0310e2aa9e6b96f479c36956af254b047c959a022c2b1fef2d6c6

      SHA512

      2914142721a10abcd44ce05ba2c2e385555cd40e158e7a57315c3a2a0d61606f4ea1ace7c7b95cb7665fbfe1ff4ab399d68d431ae49271dff70889e8e7b30bd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\236ED8F9.doc
      Filesize

      58KB

      MD5

      ad19c30e8fc0f89004a1f960b477707f

      SHA1

      0bb59500525d0b45c506c7b4fab6c1d905ee3280

      SHA256

      395694b99ce0310e2aa9e6b96f479c36956af254b047c959a022c2b1fef2d6c6

      SHA512

      2914142721a10abcd44ce05ba2c2e385555cd40e158e7a57315c3a2a0d61606f4ea1ace7c7b95cb7665fbfe1ff4ab399d68d431ae49271dff70889e8e7b30bd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9E52.tmp
      Filesize

      1KB

      MD5

      d643c6bdccc23d6ded6c385c82fd2b91

      SHA1

      b3c006c4de5606ecd8a472c4fefb9b31c8387c6b

      SHA256

      81ae89d643dbfce1ce7a5cbb389b271c2f7be9055f2736f4ecd83cce6f69a266

      SHA512

      5233f9f3c12f98635c880b5b002e94c41039ae61816227c0bacd7b23bb4e8140723edc608bcddd9120635b8c0f0e85b3d614eba41a7ca876047c98f6570304ef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{E649741E-6830-4915-9804-5AD18EB0330C}
      Filesize

      128KB

      MD5

      ea73cf75d637a294a2b95995942ca506

      SHA1

      2aacac865c8fe69b8c78dd42fba57c6a5abfa35f

      SHA256

      a9b4429f84fd77b9bfe0be290608fc93fac3e12ae6dbbf3438714d14737d46dc

      SHA512

      b40ab01083333b089d853ae10956f16fe258d1c8b6b1f2c18c29a757be065dc56f24d0922d421c21474095de2478f1a44739c4fa60139f0cf2ab5b393adb18c9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wlanext.exe
      Filesize

      641KB

      MD5

      9f78a2d7e3d3e313d6a08ae547af7a20

      SHA1

      71d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1

      SHA256

      7906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192

      SHA512

      3004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wlanext.exe
      Filesize

      641KB

      MD5

      9f78a2d7e3d3e313d6a08ae547af7a20

      SHA1

      71d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1

      SHA256

      7906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192

      SHA512

      3004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wlanext.exe
      Filesize

      641KB

      MD5

      9f78a2d7e3d3e313d6a08ae547af7a20

      SHA1

      71d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1

      SHA256

      7906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192

      SHA512

      3004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wlanext.exe
      Filesize

      641KB

      MD5

      9f78a2d7e3d3e313d6a08ae547af7a20

      SHA1

      71d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1

      SHA256

      7906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192

      SHA512

      3004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wlanext.exe
      Filesize

      641KB

      MD5

      9f78a2d7e3d3e313d6a08ae547af7a20

      SHA1

      71d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1

      SHA256

      7906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192

      SHA512

      3004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4

      Download Submit

    • \Users\Admin\AppData\Roaming\wlanext.exe
      Filesize

      641KB

      MD5

      9f78a2d7e3d3e313d6a08ae547af7a20

      SHA1

      71d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1

      SHA256

      7906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192

      SHA512

      3004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4

      Download Submit

    • \Users\Admin\AppData\Roaming\wlanext.exe
      Filesize

      641KB

      MD5

      9f78a2d7e3d3e313d6a08ae547af7a20

      SHA1

      71d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1

      SHA256

      7906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192

      SHA512

      3004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4

      Download Submit

    • memory/1148-107-0x0000000000230000-0x000000000023A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1148-108-0x0000000004DA0000-0x0000000004E1A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1148-129-0x0000000069DA0000-0x000000006A48E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1148-99-0x0000000001260000-0x0000000001306000-memory.dmp

      Filesize

      664KB

      Download

    • memory/1148-100-0x0000000069DA0000-0x000000006A48E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1148-102-0x0000000000AE0000-0x0000000000B20000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1148-103-0x0000000000780000-0x000000000079A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1148-104-0x0000000000210000-0x0000000000218000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1704-128-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1704-133-0x0000000069DA0000-0x000000006A48E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1704-139-0x0000000069DA0000-0x000000006A48E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1704-138-0x0000000001210000-0x0000000001250000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1704-132-0x0000000001210000-0x0000000001250000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1704-126-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1704-115-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1704-118-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1704-119-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1704-120-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1704-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1704-123-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2092-131-0x0000000064AC0000-0x000000006506B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2092-136-0x0000000064AC0000-0x000000006506B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2092-135-0x0000000001C70000-0x0000000001CB0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2092-134-0x0000000001C70000-0x0000000001CB0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2092-130-0x0000000064AC0000-0x000000006506B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2244-1-0x000000007208D000-0x0000000072098000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2244-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2244-8-0x0000000001F90000-0x0000000001F92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2244-105-0x000000007208D000-0x0000000072098000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2308-7-0x0000000002070000-0x0000000002072000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2308-106-0x000000007208D000-0x0000000072098000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2308-3-0x000000002F5D1000-0x000000002F5D2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-5-0x000000007208D000-0x0000000072098000-memory.dmp

      Filesize

      44KB

      Download