Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-09-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
3ffab2379543cd74e1e8ef2b3fcba558dfc8e2ec5346a7c7b682bda647ce4973.xlam
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3ffab2379543cd74e1e8ef2b3fcba558dfc8e2ec5346a7c7b682bda647ce4973.xlam
Resource
win10v2004-20240802-en
General
-
Target
3ffab2379543cd74e1e8ef2b3fcba558dfc8e2ec5346a7c7b682bda647ce4973.xlam
-
Size
805KB
-
MD5
b0519ab985bf00c58bf72c8c0b57cac4
-
SHA1
bc46f1a57dcf145f0e3e45e360adb77be8bbc6d5
-
SHA256
3ffab2379543cd74e1e8ef2b3fcba558dfc8e2ec5346a7c7b682bda647ce4973
-
SHA512
8fb177421623afd6e75b3cb14984c69799a8965b22c8476149cd8e6680102cdb9ed7f4a25f2a285a175f2c06f627a14e0c8fb548f90a74ddd1f3f376ee5aa531
-
SSDEEP
24576:afjrvHEvTJkWxJ+DG3DwSq1O/TpsUJIXTdbK:ej7HEvTB/+i3MSqs/+XTpK
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
cy+G_(979n9N - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2816 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2588 resaonjiEUFX.exe -
Loads dropped DLL 1 IoCs
pid Process 2816 EQNEDT32.EXE -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0016000000018676-7.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2588 set thread context of 1948 2588 resaonjiEUFX.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resaonjiEUFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2816 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1564 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1948 RegSvcs.exe 1948 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2588 resaonjiEUFX.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1948 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1564 EXCEL.EXE 1564 EXCEL.EXE 1564 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2588 2816 EQNEDT32.EXE 31 PID 2816 wrote to memory of 2588 2816 EQNEDT32.EXE 31 PID 2816 wrote to memory of 2588 2816 EQNEDT32.EXE 31 PID 2816 wrote to memory of 2588 2816 EQNEDT32.EXE 31 PID 2588 wrote to memory of 1948 2588 resaonjiEUFX.exe 33 PID 2588 wrote to memory of 1948 2588 resaonjiEUFX.exe 33 PID 2588 wrote to memory of 1948 2588 resaonjiEUFX.exe 33 PID 2588 wrote to memory of 1948 2588 resaonjiEUFX.exe 33 PID 2588 wrote to memory of 1948 2588 resaonjiEUFX.exe 33 PID 2588 wrote to memory of 1948 2588 resaonjiEUFX.exe 33 PID 2588 wrote to memory of 1948 2588 resaonjiEUFX.exe 33 PID 2588 wrote to memory of 1948 2588 resaonjiEUFX.exe 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\3ffab2379543cd74e1e8ef2b3fcba558dfc8e2ec5346a7c7b682bda647ce4973.xlam1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1564
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\resaonjiEUFX.exeC:\Users\Admin\AppData\Local\Temp\resaonjiEUFX.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Users\Admin\AppData\Local\Temp\resaonjiEUFX.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d822f5b3ac838341b2643c8908f0bc4f
SHA15c2b7db07f3d4356d8b829e764f9ab744d6bca4a
SHA2569dde591540775e53b8022335ce85851955555fcb54d35511b2b195323c981c11
SHA5125ce29230039d2ce89430f3c483fb2602a59db93e92f56eb0fa2d5cf2a5f5198c900627f8edd72ed1b8be31dfcac5465b9b00f035ecb50c60207eb41b99916df6