Analysis
-
max time kernel
91s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 14:00
Static task
static1
Behavioral task
behavioral1
Sample
Payment Copy.exe
Resource
win7
Behavioral task
behavioral2
Sample
Payment Copy.exe
Resource
win10
General
-
Target
Payment Copy.exe
-
Size
469KB
-
MD5
c8b2f3ed20b96d896efed10bc72f4bc7
-
SHA1
0ffb6dbd026bc5287c25f916de027409732d774f
-
SHA256
576c49c08e0fdf319e6bd95e0f2f6aa92e2460e8b9032cfd732b51261f48b757
-
SHA512
4bd875483128845c4fca5bef793220cb7680065cafdf95222353150f2642d9215bdcff1d8d3d835a920d880b8ad36c1f24ef1cd4f778d77dce8dc411c1cffafe
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
payment1759
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3496-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/3496-3-0x0000000000446E3E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Payment Copy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\newApp = "C:\\Users\\Admin\\AppData\\Roaming\\newApp\\newApp.exe" Payment Copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Copy.exedescription pid process target process PID 3892 set thread context of 3496 3892 Payment Copy.exe Payment Copy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Payment Copy.exePayment Copy.exepid process 3892 Payment Copy.exe 3892 Payment Copy.exe 3892 Payment Copy.exe 3892 Payment Copy.exe 3892 Payment Copy.exe 3496 Payment Copy.exe 3496 Payment Copy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Copy.exePayment Copy.exedescription pid process Token: SeDebugPrivilege 3892 Payment Copy.exe Token: SeDebugPrivilege 3496 Payment Copy.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Payment Copy.exedescription pid process target process PID 3892 wrote to memory of 3612 3892 Payment Copy.exe schtasks.exe PID 3892 wrote to memory of 3612 3892 Payment Copy.exe schtasks.exe PID 3892 wrote to memory of 3612 3892 Payment Copy.exe schtasks.exe PID 3892 wrote to memory of 608 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 608 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 608 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 492 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 492 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 492 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 3496 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 3496 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 3496 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 3496 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 3496 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 3496 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 3496 3892 Payment Copy.exe Payment Copy.exe PID 3892 wrote to memory of 3496 3892 Payment Copy.exe Payment Copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jzmHEyUpLAePqd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F2B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment Copy.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
C:\Users\Admin\AppData\Local\Temp\tmp8F2B.tmpMD5
ea5e4b6c5ae36b6899cd35d506839bc3
SHA1ebb4f102f1c8dacd0525adc2694c3fca115d8ca2
SHA256b4196e531c33485e913e1c4e4f000be17348e0838bf24d2d1a72cd944e17a9e8
SHA5124b5526a7fa889a83d83e95bd7465388c95ee7bdee3ec6d5aa292462fccdc22308d4bddd678f706e9702109076c06fff0c12e44bd9e1b58293c7e1d62ae4cf3f3
-
memory/3496-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3496-3-0x0000000000446E3E-mapping.dmp
-
memory/3612-0-0x0000000000000000-mapping.dmp