Analysis
-
max time kernel
136s -
max time network
28s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 12:34
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Purchase Order.exe
Resource
win10
General
-
Target
Purchase Order.exe
-
Size
465KB
-
MD5
e14568186cb5edbf11dd742183a19697
-
SHA1
3fbf1a5e6730568ea4e9935365197f53c43e7198
-
SHA256
b170ea47e3b110dcab42ec05301c798e3497903c74a7a0e4234190b2f3aa3b0d
-
SHA512
cfc145b6e7d252789a3cc2a91e4191233e56bee921b222e34cd0635e535c0de123a4a181320b469eca27cd745261a014d0a0d556465661701fc7cae0f17b553a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
eman.refat@yandex.com - Password:
year2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1804-4-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1804-5-0x000000000044AA4E-mapping.dmp family_agenttesla behavioral1/memory/1804-6-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1804-7-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order.exedescription pid process target process PID 1056 set thread context of 1804 1056 Purchase Order.exe Purchase Order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Purchase Order.exepid process 1804 Purchase Order.exe 1804 Purchase Order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Purchase Order.exedescription pid process Token: SeDebugPrivilege 1804 Purchase Order.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Purchase Order.exePurchase Order.exedescription pid process target process PID 1056 wrote to memory of 1212 1056 Purchase Order.exe schtasks.exe PID 1056 wrote to memory of 1212 1056 Purchase Order.exe schtasks.exe PID 1056 wrote to memory of 1212 1056 Purchase Order.exe schtasks.exe PID 1056 wrote to memory of 1212 1056 Purchase Order.exe schtasks.exe PID 1056 wrote to memory of 1804 1056 Purchase Order.exe Purchase Order.exe PID 1056 wrote to memory of 1804 1056 Purchase Order.exe Purchase Order.exe PID 1056 wrote to memory of 1804 1056 Purchase Order.exe Purchase Order.exe PID 1056 wrote to memory of 1804 1056 Purchase Order.exe Purchase Order.exe PID 1056 wrote to memory of 1804 1056 Purchase Order.exe Purchase Order.exe PID 1056 wrote to memory of 1804 1056 Purchase Order.exe Purchase Order.exe PID 1056 wrote to memory of 1804 1056 Purchase Order.exe Purchase Order.exe PID 1056 wrote to memory of 1804 1056 Purchase Order.exe Purchase Order.exe PID 1056 wrote to memory of 1804 1056 Purchase Order.exe Purchase Order.exe PID 1804 wrote to memory of 1556 1804 Purchase Order.exe netsh.exe PID 1804 wrote to memory of 1556 1804 Purchase Order.exe netsh.exe PID 1804 wrote to memory of 1556 1804 Purchase Order.exe netsh.exe PID 1804 wrote to memory of 1556 1804 Purchase Order.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZzsUYU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA1F9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA1F9.tmpMD5
3a58ae8fff770d6735b4e6fcf3e99c4c
SHA170bd0504a91452a62ce73cd8cd8b1c7f52e9d3bd
SHA25666066c2b9eab6203d7d1e1113ad8dc0e5bce927b325b57253b2a2a4ab9c42a19
SHA5122ce3b50e9cba31537081acbba3d07b4450ed2edffabc45072ffb54bbf2e8ac5c6bc93c54dd16b2803c3dc300486165c55d1377cb561cf1819a2f332031f83119
-
memory/1056-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1212-2-0x0000000000000000-mapping.dmp
-
memory/1556-8-0x0000000000000000-mapping.dmp
-
memory/1804-4-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1804-5-0x000000000044AA4E-mapping.dmp
-
memory/1804-6-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1804-7-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB