Analysis
-
max time kernel
97s -
max time network
42s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 12:02
Static task
static1
Behavioral task
behavioral1
Sample
Payment slip.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Payment slip.exe
Resource
win10v20210408
General
-
Target
Payment slip.exe
-
Size
711KB
-
MD5
974a56eac20cc277e84a6ccbfb71ee6d
-
SHA1
6029d991f11141d1ffc2353cfe7eff6c77fdb4db
-
SHA256
0f2f011ab5408672f97b1fca323554daf40b35bbfed4e587bcffea8a08ccf979
-
SHA512
ebe0b1f580e636ce21cc1677eb122a12c9afda17000b3120b49de077c27df53fd213c877c038b55ab3cc6a9b8d90457f3db3812daa8eabc98e4dedfc2e1550f3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.scottbyscott.com - Port:
587 - Username:
[email protected] - Password:
ngozi8989
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1696-68-0x000000000043763E-mapping.dmp family_agenttesla behavioral1/memory/1696-67-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1696-69-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment slip.exedescription pid process target process PID 1080 set thread context of 1696 1080 Payment slip.exe Payment slip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Payment slip.exePayment slip.exepid process 1080 Payment slip.exe 1080 Payment slip.exe 1696 Payment slip.exe 1696 Payment slip.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment slip.exePayment slip.exedescription pid process Token: SeDebugPrivilege 1080 Payment slip.exe Token: SeDebugPrivilege 1696 Payment slip.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Payment slip.exedescription pid process target process PID 1080 wrote to memory of 268 1080 Payment slip.exe schtasks.exe PID 1080 wrote to memory of 268 1080 Payment slip.exe schtasks.exe PID 1080 wrote to memory of 268 1080 Payment slip.exe schtasks.exe PID 1080 wrote to memory of 268 1080 Payment slip.exe schtasks.exe PID 1080 wrote to memory of 844 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 844 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 844 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 844 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 1696 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 1696 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 1696 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 1696 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 1696 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 1696 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 1696 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 1696 1080 Payment slip.exe Payment slip.exe PID 1080 wrote to memory of 1696 1080 Payment slip.exe Payment slip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OgcdgnFRYrN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp692E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp692E.tmpMD5
7f80a1ef0bde7b6933887863e9fb386b
SHA18f323489e992b6b37250d188e3d0963ff1dd3869
SHA256909cd18a673f4608c4d771c2688f7c08f11789bef8ac013ab9ca43f9b6e0a220
SHA5123c3576389ad18b94ae5db3b1e0055da9c504ee1cc48c3a4820a34f3bb643731a85751c6e684fb6fb5627002f3f713e04156947b0d94127a6a115d7f03828b89c
-
memory/268-65-0x0000000000000000-mapping.dmp
-
memory/1080-59-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/1080-61-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/1080-62-0x0000000000760000-0x000000000077B000-memory.dmpFilesize
108KB
-
memory/1080-63-0x0000000005D40000-0x0000000005DBB000-memory.dmpFilesize
492KB
-
memory/1080-64-0x0000000000C50000-0x0000000000C8D000-memory.dmpFilesize
244KB
-
memory/1696-68-0x000000000043763E-mapping.dmp
-
memory/1696-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1696-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1696-71-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB