Analysis
-
max time kernel
149s -
max time network
52s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
12-07-2020 16:29
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7
Behavioral task
behavioral2
Sample
Payment Slip.exe
Resource
win10v200430
General
-
Target
Payment Slip.exe
-
Size
1.2MB
-
MD5
02bd06cc6b96833379e8cf6cccb32059
-
SHA1
3d9ad38d59e364d787db741a58bf2d0527f0bf25
-
SHA256
8d5d64d7fe461ea3d2c4ef989b5919dd74f0d7a5803fcaeb23bda4d815f22d83
-
SHA512
5482f466023f832e60dc29a8f283c59ca5f956a7b6012cef3045eb493490a4b99400349ef1da960006c80967fe75a91ddf2ab425247e2ed2cf757804ddd16fd5
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
onuengr@yandex.com - Password:
esut96092
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2184-7-0x0000000000770000-0x0000000000C17000-memory.dmp family_agenttesla behavioral2/memory/2184-8-0x00000000007B750E-mapping.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
ofheskgpp.pifRegSvcs.exepid process 1100 ofheskgpp.pif 2184 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ofheskgpp.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ofheskgpp.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\file.exe = "c:\\52895146\\OFHESK~1.PIF c:\\52895146\\WPDUWH~1.MHF" ofheskgpp.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ofheskgpp.pifdescription pid process target process PID 1100 set thread context of 2184 1100 ofheskgpp.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ofheskgpp.pifRegSvcs.exepid process 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 2184 RegSvcs.exe 2184 RegSvcs.exe 2184 RegSvcs.exe 2184 RegSvcs.exe 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 2184 RegSvcs.exe 2184 RegSvcs.exe 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif 1100 ofheskgpp.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2184 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2184 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Payment Slip.exeofheskgpp.pifdescription pid process target process PID 3656 wrote to memory of 1100 3656 Payment Slip.exe ofheskgpp.pif PID 3656 wrote to memory of 1100 3656 Payment Slip.exe ofheskgpp.pif PID 3656 wrote to memory of 1100 3656 Payment Slip.exe ofheskgpp.pif PID 1100 wrote to memory of 2184 1100 ofheskgpp.pif RegSvcs.exe PID 1100 wrote to memory of 2184 1100 ofheskgpp.pif RegSvcs.exe PID 1100 wrote to memory of 2184 1100 ofheskgpp.pif RegSvcs.exe PID 1100 wrote to memory of 2184 1100 ofheskgpp.pif RegSvcs.exe PID 1100 wrote to memory of 2184 1100 ofheskgpp.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\52895146\ofheskgpp.pif"C:\52895146\ofheskgpp.pif" wpduwhusm.mhf2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\52895146\asbvtfsbn.icmMD5
8e5e3e7835f0891faa8bb0f20c5a9d4f
SHA11ac65bcee21bc136b6075c94916c49b6473b25bf
SHA25664c6f8ecd90ecc32b9541f0ba8fc224cadbfab5359bc61402b8659fd9da834e5
SHA512cecc0043720aa231e911415af28c20d94836c595e1e4910c735412c2412c35ac30cdb64271bb716755443488534b0482f1b4eba5293551619d65c5220a048c2c
-
C:\52895146\ofheskgpp.pifMD5
6c791836a7f45952c1183d31e07bd966
SHA124f3d4a239e338ddb6f48e6eb706d3f19a280248
SHA256c70c58c4b0b01a5985e3b7820977acef3a6d78e653709dab84d47c06b5f1d43d
SHA51260e796d6df906bb73347b7e78cdf09bee591465e079026fcd8d9835c71d91de6a91801c4d4b63c2cd5fe3ca790120ca08260bacace0214418bca3fcde54a7f3d
-
C:\52895146\ofheskgpp.pifMD5
6c791836a7f45952c1183d31e07bd966
SHA124f3d4a239e338ddb6f48e6eb706d3f19a280248
SHA256c70c58c4b0b01a5985e3b7820977acef3a6d78e653709dab84d47c06b5f1d43d
SHA51260e796d6df906bb73347b7e78cdf09bee591465e079026fcd8d9835c71d91de6a91801c4d4b63c2cd5fe3ca790120ca08260bacace0214418bca3fcde54a7f3d
-
C:\52895146\wpduwhusm.mhfMD5
36ef2c5f1ae0d6d41516fd7962083ea5
SHA19c2d11e88711ea476206b7df3d8fa428cf9866c9
SHA256a7d97824bba7be66e4e13be465a6e37bc01a887b690efd36c35e9fb0f130da2f
SHA5128b81e93351b699364c82e19254e15a835a20502c16b3cd2b698aafad8876c415f573cde3db496378452cbf4c56e7d56d63548faf139395aeecc4b2e395336955
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/1100-2-0x0000000000000000-mapping.dmp
-
memory/2184-7-0x0000000000770000-0x0000000000C17000-memory.dmpFilesize
4.7MB
-
memory/2184-8-0x00000000007B750E-mapping.dmp