Analysis
-
max time kernel
105s -
max time network
56s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 20:12
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order_Pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Purchase Order_Pdf.exe
Resource
win10v20201028
General
-
Target
Purchase Order_Pdf.exe
-
Size
1.1MB
-
MD5
24ab440ba14af239092dc2f4c04a4aed
-
SHA1
4f060fb538c3f5fba0b7e8e95bfc5c3f620ea190
-
SHA256
c213685d3005fbac05b0cd6b11a077f57cc4d50fcb762c7cab8a81ae7dec2043
-
SHA512
2d3ba4ced486d9de70598f9934e20951fe7e4e056d8f50a9ed4c6f947e169885efe9f7c9b24d2dcff345ba0b7b33ca47ee11defdade776dd22514aba22d8a10b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.impressindia.net - Port:
587 - Username:
office-z9@impressindia.net - Password:
+EmoBNGlt2M,
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-9-0x0000000004960000-0x0000000004996000-memory.dmp family_agenttesla -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Purchase Order_Pdf.exepid process 1676 Purchase Order_Pdf.exe 1676 Purchase Order_Pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Purchase Order_Pdf.exedescription pid process Token: SeDebugPrivilege 1676 Purchase Order_Pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Purchase Order_Pdf.exedescription pid process target process PID 1676 wrote to memory of 1704 1676 Purchase Order_Pdf.exe schtasks.exe PID 1676 wrote to memory of 1704 1676 Purchase Order_Pdf.exe schtasks.exe PID 1676 wrote to memory of 1704 1676 Purchase Order_Pdf.exe schtasks.exe PID 1676 wrote to memory of 1704 1676 Purchase Order_Pdf.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order_Pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gspeFYive" /XML "C:\Users\Admin\AppData\Local\Temp\tmp650A.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp650A.tmpMD5
7f89d092522243a4369d45f067ca630f
SHA1218e0a8790837fbb0f142317589594be2fdef484
SHA256ad3c805e283873a23dc988a8551fe74353545e8add2a3e819abaf7a8c1fb31fe
SHA512289d4baa80b80eb7839839a3e3d7225df092f80aeab01281e9ffbd98d01bb67bca28ac0c98cb31628e78f77ad4538fa9b56f9e12f5ee97f37c47207ba209f957
-
memory/1676-2-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/1676-3-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/1676-5-0x00000000006C0000-0x00000000006CE000-memory.dmpFilesize
56KB
-
memory/1676-6-0x00000000003A0000-0x000000000042F000-memory.dmpFilesize
572KB
-
memory/1676-9-0x0000000004960000-0x0000000004996000-memory.dmpFilesize
216KB
-
memory/1704-7-0x0000000000000000-mapping.dmp