Analysis
-
max time kernel
120s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 07:08
Static task
static1
Behavioral task
behavioral1
Sample
SOA_payment_balance.doc.gz.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SOA_payment_balance.doc.gz.exe
Resource
win10v20201028
General
-
Target
SOA_payment_balance.doc.gz.exe
-
Size
586KB
-
MD5
229140fb35f06ec6ba52883474691866
-
SHA1
6bb4124f781efdbd906b88a87cef5d999dfd46ba
-
SHA256
4415d19e0b69bdccf79c937db6fe491c4875367cc3ad808b233fa606c708c18b
-
SHA512
3095dbfed4d4eccbc4871ce356c5c058e71ebd8978a16f4b5de573d8caa1efc2cc733ddc4da7e93c62efd9c61727e0ef9bf7a0e6a02316a9caaa86210fd3f0af
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
kthen@inprocorps.com - Password:
riches22@123456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/728-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/728-8-0x0000000000447D1E-mapping.dmp family_agenttesla behavioral1/memory/728-9-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/728-10-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA_payment_balance.doc.gz.exedescription pid process target process PID 740 set thread context of 728 740 SOA_payment_balance.doc.gz.exe SOA_payment_balance.doc.gz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SOA_payment_balance.doc.gz.exepid process 728 SOA_payment_balance.doc.gz.exe 728 SOA_payment_balance.doc.gz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SOA_payment_balance.doc.gz.exedescription pid process Token: SeDebugPrivilege 728 SOA_payment_balance.doc.gz.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SOA_payment_balance.doc.gz.exepid process 728 SOA_payment_balance.doc.gz.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SOA_payment_balance.doc.gz.exedescription pid process target process PID 740 wrote to memory of 1676 740 SOA_payment_balance.doc.gz.exe schtasks.exe PID 740 wrote to memory of 1676 740 SOA_payment_balance.doc.gz.exe schtasks.exe PID 740 wrote to memory of 1676 740 SOA_payment_balance.doc.gz.exe schtasks.exe PID 740 wrote to memory of 1676 740 SOA_payment_balance.doc.gz.exe schtasks.exe PID 740 wrote to memory of 728 740 SOA_payment_balance.doc.gz.exe SOA_payment_balance.doc.gz.exe PID 740 wrote to memory of 728 740 SOA_payment_balance.doc.gz.exe SOA_payment_balance.doc.gz.exe PID 740 wrote to memory of 728 740 SOA_payment_balance.doc.gz.exe SOA_payment_balance.doc.gz.exe PID 740 wrote to memory of 728 740 SOA_payment_balance.doc.gz.exe SOA_payment_balance.doc.gz.exe PID 740 wrote to memory of 728 740 SOA_payment_balance.doc.gz.exe SOA_payment_balance.doc.gz.exe PID 740 wrote to memory of 728 740 SOA_payment_balance.doc.gz.exe SOA_payment_balance.doc.gz.exe PID 740 wrote to memory of 728 740 SOA_payment_balance.doc.gz.exe SOA_payment_balance.doc.gz.exe PID 740 wrote to memory of 728 740 SOA_payment_balance.doc.gz.exe SOA_payment_balance.doc.gz.exe PID 740 wrote to memory of 728 740 SOA_payment_balance.doc.gz.exe SOA_payment_balance.doc.gz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA_payment_balance.doc.gz.exe"C:\Users\Admin\AppData\Local\Temp\SOA_payment_balance.doc.gz.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlSeAhW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SOA_payment_balance.doc.gz.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmpMD5
c3170742eeefe70d7cdec130ccead1c4
SHA1ca32196563c0570280fa03e40b14c04ed45c4258
SHA256e83173332bb56b0c1c8aa6a5dd4e303cb8c9e99ea8919344eb63a0157a88bde3
SHA5128b479d424507eccc46a95427c8e39532e247715bef48940ebea3bb97060b159f2f98297453bbc78df40379e2363b058573f13e99198fcc9755a76321d9c05118
-
memory/728-7-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/728-8-0x0000000000447D1E-mapping.dmp
-
memory/728-9-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/728-10-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/728-11-0x0000000074390000-0x0000000074A7E000-memory.dmpFilesize
6.9MB
-
memory/740-0-0x0000000074390000-0x0000000074A7E000-memory.dmpFilesize
6.9MB
-
memory/740-1-0x00000000013A0000-0x00000000013A1000-memory.dmpFilesize
4KB
-
memory/740-3-0x00000000004D0000-0x00000000004E4000-memory.dmpFilesize
80KB
-
memory/740-4-0x0000000007F40000-0x0000000007FB1000-memory.dmpFilesize
452KB
-
memory/1676-5-0x0000000000000000-mapping.dmp