Analysis
-
max time kernel
108s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 13:01
General
-
Target
Confirmation of Proforma Invoice payment.exe
-
Size
772KB
-
MD5
05faa69a6a3b27e38fd9cf62af7c7912
-
SHA1
deec4c6629877307a1ff83e45ec51b5cabe9f257
-
SHA256
dd7c1c609857ba8705a55abc0e35b32837c3b31310eaa4a7d43ee1c585ddfb79
-
SHA512
08e95de90eff198e7eba9b973be271e7dd9a8ecb467eef6c4595289e68354c94042ac09eea0ac80374a9eb1fe538110c4325a12dea586c1898ad30bed353e6d2
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vistakencana.com.my - Port:
587 - Username:
[email protected] - Password:
m33R3bus!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Confirmation of Proforma Invoice payment.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation of Proforma Invoice payment.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Confirmation of Proforma Invoice payment.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yiWgfQdyYJbfTP.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yiWgfQdyYJbfTP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1974.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yiWgfQdyYJbfTP.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Confirmation of Proforma Invoice payment.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation of Proforma Invoice payment.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
3f7885c88079e5d7800c2c1796232946
SHA15bca417d36bb2ac69edb87b0d740cbceabc8494a
SHA25644fbecb9e328bc9d941dab8530682dc66c34b18a41c32f57c7168e3eec208c3b
SHA512e0fa5fff0a78dba5a9d2224de3e47d661a4fe888e88d580259b7ce545791f215977585a2d964a61791e8d5f568836be8aebcf7afd8015d3750d6074300e81536
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
03473311fa0f89cc616899628d12cdd3
SHA132de072c9214a61818a501a4727166261ee7ce43
SHA2560919c21e585bc348394207a1a449beae2da8d7a447c2008bbc0c557d6c817d15
SHA512a2a1da4259ca7ea2848999a47e1cd591150e50ef8188f8a06dc47b321660569a6959cdcac0d66dbc5864f2908b9c3dceb9b32f1b84e7790608a4dd46c450a72a
-
C:\Users\Admin\AppData\Local\Temp\tmp1974.tmpMD5
030e7ce4d9478bd3a19d6829d13a752e
SHA1c72d4aa24624ddf494e87c452ad6df62874e3469
SHA2561b807327ebb6b32c4654aeed64557e964a86d6316f985676cf0d20257885e97c
SHA512c08d4f9ca049cf90dddfdeebbf9fda0db5f56ab0041564eb2d6afb0747a522cbf69498b9e657cdcfde325122ec3a440e65ba8c1e3ee83555bce58ab07f3eaa91
-
memory/1796-145-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1796-165-0x0000000005050000-0x000000000554E000-memory.dmpFilesize
5.0MB
-
memory/1796-146-0x00000000004375AE-mapping.dmp
-
memory/2752-279-0x00000000049A3000-0x00000000049A4000-memory.dmpFilesize
4KB
-
memory/2752-222-0x000000007EB50000-0x000000007EB51000-memory.dmpFilesize
4KB
-
memory/2752-131-0x0000000000000000-mapping.dmp
-
memory/2752-164-0x00000000049A2000-0x00000000049A3000-memory.dmpFilesize
4KB
-
memory/2752-163-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/3012-133-0x0000000000000000-mapping.dmp
-
memory/3424-282-0x0000000004593000-0x0000000004594000-memory.dmpFilesize
4KB
-
memory/3424-167-0x0000000004590000-0x0000000004591000-memory.dmpFilesize
4KB
-
memory/3424-168-0x0000000004592000-0x0000000004593000-memory.dmpFilesize
4KB
-
memory/3424-276-0x000000007EF70000-0x000000007EF71000-memory.dmpFilesize
4KB
-
memory/3424-144-0x0000000000000000-mapping.dmp
-
memory/3908-126-0x0000000005ED0000-0x0000000005ED1000-memory.dmpFilesize
4KB
-
memory/3908-114-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/3908-116-0x0000000004E30000-0x0000000004EEC000-memory.dmpFilesize
752KB
-
memory/3908-117-0x000000000A8F0000-0x000000000A8F1000-memory.dmpFilesize
4KB
-
memory/3908-118-0x000000000A3F0000-0x000000000A3F1000-memory.dmpFilesize
4KB
-
memory/3908-119-0x000000000A530000-0x000000000A531000-memory.dmpFilesize
4KB
-
memory/3908-120-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/3908-121-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/3908-122-0x0000000005080000-0x000000000509B000-memory.dmpFilesize
108KB
-
memory/3908-123-0x0000000000E00000-0x0000000000E83000-memory.dmpFilesize
524KB
-
memory/3908-124-0x00000000052E0000-0x000000000531E000-memory.dmpFilesize
248KB
-
memory/4068-150-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/4068-152-0x0000000007E00000-0x0000000007E01000-memory.dmpFilesize
4KB
-
memory/4068-129-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/4068-161-0x0000000007BA0000-0x0000000007BA1000-memory.dmpFilesize
4KB
-
memory/4068-186-0x0000000008B50000-0x0000000008B83000-memory.dmpFilesize
204KB
-
memory/4068-189-0x000000007E4B0000-0x000000007E4B1000-memory.dmpFilesize
4KB
-
memory/4068-198-0x0000000008B10000-0x0000000008B11000-memory.dmpFilesize
4KB
-
memory/4068-206-0x0000000008C80000-0x0000000008C81000-memory.dmpFilesize
4KB
-
memory/4068-216-0x0000000008E50000-0x0000000008E51000-memory.dmpFilesize
4KB
-
memory/4068-125-0x0000000000000000-mapping.dmp
-
memory/4068-223-0x0000000000DA3000-0x0000000000DA4000-memory.dmpFilesize
4KB
-
memory/4068-136-0x0000000000DA2000-0x0000000000DA3000-memory.dmpFilesize
4KB
-
memory/4068-130-0x0000000006DE0000-0x0000000006DE1000-memory.dmpFilesize
4KB
-
memory/4068-132-0x0000000006AD0000-0x0000000006AD1000-memory.dmpFilesize
4KB
-
memory/4068-134-0x0000000006B70000-0x0000000006B71000-memory.dmpFilesize
4KB
-
memory/4068-135-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/4068-138-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB