Analysis
-
max time kernel
270s -
max time network
270s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-01-2021 04:23
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.exe
Resource
win10v20201028
General
-
Target
Purchase Order.exe
-
Size
923KB
-
MD5
18a17c811ca2021387183cb84d82782a
-
SHA1
c0519c3bdc8b8bebe4adf2a24cfe9a1ff350793e
-
SHA256
99b71f4896b633a9d4b040d94b4d001a6917d92ad4d33d71b3da1b04d688f5f2
-
SHA512
02b03d76380d6554fc83f854d74423548e53d8c92fff77e25a1d7fcc287b04d59f36b8819ad6c3c196d0cbe1ad9fac38194de22f5d6029e4c1db4d3280e16bd4
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.cavannaqroup.com - Port:
587 - Username:
[email protected] - Password:
~Jt2S@+nj1jk
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3948-16-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/3948-17-0x00000000004371AE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Purchase Order.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mymp4 = "C:\\Users\\Admin\\AppData\\Roaming\\Mymp4\\Mymp4.exe" Purchase Order.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.ipify.org 15 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order.exedescription pid process target process PID 3920 set thread context of 3948 3920 Purchase Order.exe Purchase Order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Purchase Order.exepid process 3948 Purchase Order.exe 3948 Purchase Order.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Order.exePurchase Order.exedescription pid process Token: SeDebugPrivilege 3920 Purchase Order.exe Token: SeDebugPrivilege 3948 Purchase Order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Purchase Order.exepid process 3948 Purchase Order.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Purchase Order.exedescription pid process target process PID 3920 wrote to memory of 3916 3920 Purchase Order.exe schtasks.exe PID 3920 wrote to memory of 3916 3920 Purchase Order.exe schtasks.exe PID 3920 wrote to memory of 3916 3920 Purchase Order.exe schtasks.exe PID 3920 wrote to memory of 3948 3920 Purchase Order.exe Purchase Order.exe PID 3920 wrote to memory of 3948 3920 Purchase Order.exe Purchase Order.exe PID 3920 wrote to memory of 3948 3920 Purchase Order.exe Purchase Order.exe PID 3920 wrote to memory of 3948 3920 Purchase Order.exe Purchase Order.exe PID 3920 wrote to memory of 3948 3920 Purchase Order.exe Purchase Order.exe PID 3920 wrote to memory of 3948 3920 Purchase Order.exe Purchase Order.exe PID 3920 wrote to memory of 3948 3920 Purchase Order.exe Purchase Order.exe PID 3920 wrote to memory of 3948 3920 Purchase Order.exe Purchase Order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XqLYmqlIWIlVip" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1965.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.logMD5
65f1f0c7993639f9f9e1d524224a2c93
SHA15b51a6a56f3041dbc2d3f510252bbe68ffbbc59c
SHA256e582e80a644a998d1b2958bdcb0cd1e899076befa7c5e868d033b3fe75a2ca93
SHA5123e8953968bbc31f3105a0df28b95edfb4cee8af78ec527d47707b82e3d5fc2aa725fca574de3c963da53614e60d282408b21d075eed007be25679e9458bf1c23
-
C:\Users\Admin\AppData\Local\Temp\tmp1965.tmpMD5
7482b6cc66b15cc057f3e2b1cdeff18b
SHA1f24e162ae8dceea39c8493a8244fb544d900d415
SHA2566b2969c477518ca15b1202312d8ffe762f3793a6a1ef89be56792b1e27818acf
SHA5123782974fa529dad5d70f4504cd62eacf6ff2432636581b178a7a8c6a6e43e4099b0a3f131dd766d2ff3a72725e460138b2152d9d248182f779bce9ba21cb4e9d
-
memory/3916-14-0x0000000000000000-mapping.dmp
-
memory/3920-8-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/3920-5-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/3920-2-0x0000000073300000-0x00000000739EE000-memory.dmpFilesize
6.9MB
-
memory/3920-9-0x0000000005970000-0x0000000005971000-memory.dmpFilesize
4KB
-
memory/3920-10-0x0000000006150000-0x0000000006151000-memory.dmpFilesize
4KB
-
memory/3920-11-0x0000000005950000-0x0000000005953000-memory.dmpFilesize
12KB
-
memory/3920-12-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/3920-13-0x0000000006850000-0x00000000068FC000-memory.dmpFilesize
688KB
-
memory/3920-6-0x0000000005C50000-0x0000000005C51000-memory.dmpFilesize
4KB
-
memory/3920-7-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/3920-3-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/3948-17-0x00000000004371AE-mapping.dmp
-
memory/3948-16-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3948-19-0x0000000073300000-0x00000000739EE000-memory.dmpFilesize
6.9MB
-
memory/3948-24-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/3948-25-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/3948-26-0x0000000006380000-0x0000000006381000-memory.dmpFilesize
4KB
-
memory/3948-29-0x0000000005641000-0x0000000005642000-memory.dmpFilesize
4KB