Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 05:33
Static task
static1
Behavioral task
behavioral1
Sample
Pre Alert & Debit Note PO20766/Pre Alert & Debit Note PO20766.xlsx.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Pre Alert & Debit Note PO20766/Pre Alert & Debit Note PO20766.xlsx.exe
Resource
win10v2004-20240426-en
General
-
Target
Pre Alert & Debit Note PO20766/Pre Alert & Debit Note PO20766.xlsx.exe
-
Size
390KB
-
MD5
9ad1097ef6d23a86d4b9327e54fdc9bc
-
SHA1
517d09c1d755f08f3c5bf073d87185a801b68907
-
SHA256
df9e1f7fa8d1badaa7afd42cc3aac4ef5aad3a9973ee71059599325284566e67
-
SHA512
1ea9293a6931e191b1c63537fc5ea003e8ae98d53242a711769052bf9ba1976def2bb5f7894f85a0da087c0a4354a68474268da77d8438cfbb0a04299df7c955
-
SSDEEP
6144:nG8/Pl5W2KYbjOrq1NijSchoiEC8IjhJwJpNhCF5qGI3f2nwf0F4eQhrt/bcnAI:n2rgijP7EHEsvNhC7IfBbhrt4T
Malware Config
Extracted
Protocol: ftp- Host:
s4.serv00.com - Port:
21 - Username:
f2241_dol - Password:
Doll900#@
Extracted
agenttesla
Protocol: ftp- Host:
ftp://s4.serv00.com - Port:
21 - Username:
f2241_dol - Password:
Doll900#@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "C:\\Users\\Admin\\AppData\\Roaming\\adobe\\adobe.exe" Pre Alert & Debit Note PO20766.xlsx.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.ipify.org 16 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exedescription pid Process procid_target PID 3988 set thread context of 2600 3988 Pre Alert & Debit Note PO20766.xlsx.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exepid Process 2600 Pre Alert & Debit Note PO20766.xlsx.exe 2600 Pre Alert & Debit Note PO20766.xlsx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exedescription pid Process Token: SeDebugPrivilege 2600 Pre Alert & Debit Note PO20766.xlsx.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exepid Process 2600 Pre Alert & Debit Note PO20766.xlsx.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exedescription pid Process procid_target PID 3988 wrote to memory of 2600 3988 Pre Alert & Debit Note PO20766.xlsx.exe 80 PID 3988 wrote to memory of 2600 3988 Pre Alert & Debit Note PO20766.xlsx.exe 80 PID 3988 wrote to memory of 2600 3988 Pre Alert & Debit Note PO20766.xlsx.exe 80 PID 3988 wrote to memory of 2600 3988 Pre Alert & Debit Note PO20766.xlsx.exe 80 PID 3988 wrote to memory of 2600 3988 Pre Alert & Debit Note PO20766.xlsx.exe 80 PID 3988 wrote to memory of 2600 3988 Pre Alert & Debit Note PO20766.xlsx.exe 80 PID 3988 wrote to memory of 2600 3988 Pre Alert & Debit Note PO20766.xlsx.exe 80 PID 3988 wrote to memory of 2600 3988 Pre Alert & Debit Note PO20766.xlsx.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pre Alert & Debit Note PO20766\Pre Alert & Debit Note PO20766.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\Pre Alert & Debit Note PO20766\Pre Alert & Debit Note PO20766.xlsx.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\Pre Alert & Debit Note PO20766\Pre Alert & Debit Note PO20766.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\Pre Alert & Debit Note PO20766\Pre Alert & Debit Note PO20766.xlsx.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pre Alert & Debit Note PO20766.xlsx.exe.log
Filesize42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce