Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-09-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
4a662afebf865f33884fee10b2068e5c287aeca6e100afaf06c154ca7f16fa1e.xlam
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a662afebf865f33884fee10b2068e5c287aeca6e100afaf06c154ca7f16fa1e.xlam
Resource
win10v2004-20240802-en
General
-
Target
4a662afebf865f33884fee10b2068e5c287aeca6e100afaf06c154ca7f16fa1e.xlam
-
Size
763KB
-
MD5
50b7771a6627a73b27c46273c0cbe425
-
SHA1
0f82ffb9a5224bb49714d6b16fc0674cc6a78926
-
SHA256
4a662afebf865f33884fee10b2068e5c287aeca6e100afaf06c154ca7f16fa1e
-
SHA512
0107355b69e0b58cca68d5ba6f728fdf0e701507ef3048d924cb457cddde8890ab7162517c694bb1c24eaa0945ed53dedc46ec8608bb6608f824ce7846c432b1
-
SSDEEP
12288:HfLq60yYoGS32iZ02d/1Cj5vADJqYctAXMwg0EWyMETOO9dE9ibL9BOrn9tMxfiU:Hfj0yYoGS333mjOtGAXM2tyNKO9dE9ir
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
3^?r?mtxk(kt - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 264 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2752 wshusiu.exe -
Loads dropped DLL 1 IoCs
pid Process 264 EQNEDT32.EXE -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000016dd0-9.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2752 set thread context of 2892 2752 wshusiu.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wshusiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 264 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1652 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2892 RegSvcs.exe 2892 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2752 wshusiu.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2892 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1652 EXCEL.EXE 1652 EXCEL.EXE 1652 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 264 wrote to memory of 2752 264 EQNEDT32.EXE 32 PID 264 wrote to memory of 2752 264 EQNEDT32.EXE 32 PID 264 wrote to memory of 2752 264 EQNEDT32.EXE 32 PID 264 wrote to memory of 2752 264 EQNEDT32.EXE 32 PID 2752 wrote to memory of 2892 2752 wshusiu.exe 33 PID 2752 wrote to memory of 2892 2752 wshusiu.exe 33 PID 2752 wrote to memory of 2892 2752 wshusiu.exe 33 PID 2752 wrote to memory of 2892 2752 wshusiu.exe 33 PID 2752 wrote to memory of 2892 2752 wshusiu.exe 33 PID 2752 wrote to memory of 2892 2752 wshusiu.exe 33 PID 2752 wrote to memory of 2892 2752 wshusiu.exe 33 PID 2752 wrote to memory of 2892 2752 wshusiu.exe 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4a662afebf865f33884fee10b2068e5c287aeca6e100afaf06c154ca7f16fa1e.xlam1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1652
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Users\Admin\AppData\Local\Temp\wshusiu.exeC:\Users\Admin\AppData\Local\Temp\wshusiu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Users\Admin\AppData\Local\Temp\wshusiu.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5e4df42ee6fd39d7ef3cb767571a3d9cf
SHA1bc9db1db251e96c25d495ecf7eaeccc0b682a2aa
SHA2566460c253f6d9b12b4598caca091e84040c80a929cae2997f0c9eb11c2897a1f0
SHA51265da7053e550a573f0a5447efb20d478aa51ed0e509e6af3dbc1ad6cfa255a0e41817fd9c80ec2b2e08ecd6765448b4a0ab833f97fb141c01965b46fbf618075