Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2024, 10:30

General

  • Target

    26fcc106f92623f06b5eb2e87b2e2e58a2ad9eea51de7d15a15b85dafe44b937.xlam

  • Size

    718KB

  • MD5

    989feda4871b86bfbcec9debb0b2ec45

  • SHA1

    05ef3f9b7d77b9709423222a81d670cbcae013cd

  • SHA256

    26fcc106f92623f06b5eb2e87b2e2e58a2ad9eea51de7d15a15b85dafe44b937

  • SHA512

    ba62b7d1cc358aa8e3525bbb0988274823feef6f485cc9ec2d5d43734c35f0f1d9c978bed490ea6b4cfc25e86a4df5788be8b3bbb3677064be3895d3becd4c44

  • SSDEEP

    12288:r8nWilHGpyCdswU+rUUfvPn9mw1Z68YnQgtJPskWBMpINmNGWBn:Y/0RuFLUfvPn9tk8E7xWuWLWBn

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect ZGRat V1 33 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\26fcc106f92623f06b5eb2e87b2e2e58a2ad9eea51de7d15a15b85dafe44b937.xlam
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2460
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Users\Admin\AppData\Roaming\CKK.exe
      "C:\Users\Admin\AppData\Roaming\CKK.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Roaming\CKK.exe"
        3⤵
          PID:2580
        • C:\Users\Admin\AppData\Roaming\CKK.exe
          "C:\Users\Admin\AppData\Roaming\CKK.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Users\Admin\AppData\Roaming\CKK.exe"
            4⤵
              PID:1960
            • C:\Users\Admin\AppData\Roaming\CKK.exe
              "C:\Users\Admin\AppData\Roaming\CKK.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2720
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                "C:\Users\Admin\AppData\Roaming\CKK.exe"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2852

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Clinton

              Filesize

              261KB

              MD5

              5a70b0e741e9be8a93a6353e6cdb6bbd

              SHA1

              567c37816d5101104953f1cc5a9f0d74e78b9f5c

              SHA256

              aace6ca3b7215b5bf87c91167d4fb7c008ce0f4b9fa3b77877f3123018d066f5

              SHA512

              e1f21571d366462b73c1b7b1954e70a99e13a651f470bdfbc42f9f0f86034ce60761379bc0eff1ed78cf8c6fbf85c10ab38b3bb4819a34031ade083833955723

            • C:\Users\Admin\AppData\Local\Temp\aut2AD8.tmp

              Filesize

              259KB

              MD5

              f2a14bb5825833ac7a44fa6f80757411

              SHA1

              9d3aa84ba40b44968b3f69c38f950b55ff042053

              SHA256

              6854140a8f1472c3e84b6f1d6390920ae5737c67961e809de10c34fefd8663d4

              SHA512

              66c5273428e48f6c2e596e7300d169043567fbabfebcd037446b0ac433ef779ba3d5a40f1e237ab1b0d3a43154563cb31afa274a5a694e4cdc67c5dc993e7ffa

            • C:\Users\Admin\AppData\Local\Temp\aut2AE8.tmp

              Filesize

              9KB

              MD5

              52ea0d31e75e368b28ca2a58a9e653fc

              SHA1

              2ae4801acaa0fda9fc8975c9c29dce1c1c6204c0

              SHA256

              bdffc8ea3ebb6411b678ca19e5dd6d1199b8c44bd8ce53e42a8d99933074de2f

              SHA512

              8dd97ad2b44a01b3ea8e0221b82b97493cb832b22bc88802957dc90d9351466ef1fca3f1ce25ab25c890c32f5c0b9950d642621a8e8138d37e32f995f5ffc993

            • C:\Users\Admin\AppData\Local\Temp\nondefinition

              Filesize

              28KB

              MD5

              8285d336395c7b6e421735e4c8100590

              SHA1

              bfeacb0473beea2dc4c9c634064467e1d0d70750

              SHA256

              2324e3f83072804cb47bac17572dc6325b04ba13e6e4b0fd4aa40aaa45aa8d02

              SHA512

              fbae37b6fb95499389ed67f6a630f91ae053dc1ce5ec79eade84d10e79641c91074ca00be90ad0d34b7c35355b9cdc7c3ca33842e0990d9e176cac06dc311580

            • C:\Users\Admin\AppData\Roaming\CKK.exe

              Filesize

              1.2MB

              MD5

              6dbf70053a37b13c106c623e0934ddff

              SHA1

              1362f71bac0d64092f13f5f9b84e235d6a369055

              SHA256

              5d4011e1b0a3cdc0052863536e959285012767be9a39ffb95faf811836536922

              SHA512

              3a4ec594d47fcc5551010d5e20fc5b317cc98c9c0dbd46f94b6f96002445c4e63db649b4579e72c07a9dc24192fd07b7f84b0d1970c7729ceb7ffdb04d51f2cf

            • memory/2460-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

            • memory/2460-1-0x000000007277D000-0x0000000072788000-memory.dmp

              Filesize

              44KB

            • memory/2460-1081-0x000000007277D000-0x0000000072788000-memory.dmp

              Filesize

              44KB

            • memory/2460-1078-0x000000007277D000-0x0000000072788000-memory.dmp

              Filesize

              44KB

            • memory/2852-89-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-79-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-69-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-83-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-97-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-107-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-105-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-103-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-101-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-99-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-95-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-93-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-91-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-46-0x0000000000280000-0x00000000002D4000-memory.dmp

              Filesize

              336KB

            • memory/2852-87-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-85-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-81-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-47-0x0000000000DA0000-0x0000000000DF2000-memory.dmp

              Filesize

              328KB

            • memory/2852-75-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-73-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-71-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-67-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-65-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-63-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-61-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-59-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-77-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-57-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-55-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-53-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-51-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-49-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-48-0x0000000000DA0000-0x0000000000DED000-memory.dmp

              Filesize

              308KB

            • memory/2852-44-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB

            • memory/2852-45-0x0000000000400000-0x0000000000446000-memory.dmp

              Filesize

              280KB