Analysis
-
max time kernel
116s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 17:15
Static task
static1
Behavioral task
behavioral1
Sample
Picture.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Picture.exe
Resource
win10v20210410
General
-
Target
Picture.exe
-
Size
918KB
-
MD5
cf43b0fc3cf4393bb542bd212a1af029
-
SHA1
44ff1cbf0831d6176bd6e98a46f354800e9d09d0
-
SHA256
5d7566ee48f7c1525a1d0e5cf2e5463929d7ad9fe55519acec2a4fcb19507f7e
-
SHA512
5279f393b145d8a4b0672ce5f75f8f777919e0b82ff3a7c3637e5753194fbbd4ace3a173e77d670ad7ab7f0d3cf5a33b65a3bb047cb16349178aea137382e04c
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1802838691:AAHG-LDFE4ym6sqdeNCoNwT9JyuuNVsehko/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
Picture.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Picture.exe -
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1172-135-0x000000000043770E-mapping.dmp family_agenttesla behavioral2/memory/1172-134-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/1172-143-0x0000000005100000-0x00000000055FE000-memory.dmp family_agenttesla -
Executes dropped EXE 4 IoCs
Processes:
Picture.exePicture.exePicture.exePicture.exepid process 2044 Picture.exe 3156 Picture.exe 1504 Picture.exe 1172 Picture.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Picture.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\iservice.exe = "C:\\Users\\Admin\\AppData\\Roaming\\iservice.exe\\iservice.exe.exe" Picture.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Picture.exedescription pid process target process PID 2044 set thread context of 1172 2044 Picture.exe Picture.exe -
Drops file in Program Files directory 55 IoCs
Processes:
Picture.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe Picture.exe File opened for modification C:\PROGRA~2\Google\Temp\GUM1CBD.tmp\GOFB2B~1.EXE Picture.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe Picture.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE Picture.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXE Picture.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe Picture.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe Picture.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe Picture.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE Picture.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe Picture.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE Picture.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe Picture.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE Picture.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe Picture.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe Picture.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXE Picture.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe Picture.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe Picture.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE Picture.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe Picture.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe Picture.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE Picture.exe File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE Picture.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe Picture.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE Picture.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe Picture.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe Picture.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE Picture.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE Picture.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe Picture.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe Picture.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe Picture.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE Picture.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe Picture.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe Picture.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe Picture.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE Picture.exe -
Drops file in Windows directory 1 IoCs
Processes:
Picture.exedescription ioc process File opened for modification C:\Windows\svchost.com Picture.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Picture.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Picture.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Picture.exePicture.exepid process 2044 Picture.exe 2044 Picture.exe 2044 Picture.exe 2044 Picture.exe 2044 Picture.exe 2044 Picture.exe 2044 Picture.exe 2044 Picture.exe 2044 Picture.exe 2044 Picture.exe 1172 Picture.exe 1172 Picture.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Picture.exePicture.exedescription pid process Token: SeDebugPrivilege 2044 Picture.exe Token: SeDebugPrivilege 1172 Picture.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Picture.exePicture.exedescription pid process target process PID 3212 wrote to memory of 2044 3212 Picture.exe Picture.exe PID 3212 wrote to memory of 2044 3212 Picture.exe Picture.exe PID 3212 wrote to memory of 2044 3212 Picture.exe Picture.exe PID 2044 wrote to memory of 3156 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 3156 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 3156 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1504 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1504 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1504 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1172 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1172 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1172 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1172 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1172 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1172 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1172 2044 Picture.exe Picture.exe PID 2044 wrote to memory of 1172 2044 Picture.exe Picture.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Picture.exe"C:\Users\Admin\AppData\Local\Temp\Picture.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Picture.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\Picture.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Picture.exeC:\Users\Admin\AppData\Local\Temp\Picture.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Picture.exeC:\Users\Admin\AppData\Local\Temp\Picture.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Picture.exeC:\Users\Admin\AppData\Local\Temp\Picture.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Picture.exe.logMD5
4a30a8132195c1aa1a62b78676b178d9
SHA1506e6d99a2ba08c9d3553af30daaaa0fc46ae4be
SHA25671636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20
SHA5123272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Picture.exeMD5
dbedce8e808899925400d5054a0c23f5
SHA174bd0fb71ffb36f8b8328969f1db3a815904127f
SHA25665ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315
SHA512ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Picture.exeMD5
dbedce8e808899925400d5054a0c23f5
SHA174bd0fb71ffb36f8b8328969f1db3a815904127f
SHA25665ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315
SHA512ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc
-
C:\Users\Admin\AppData\Local\Temp\Picture.exeMD5
dbedce8e808899925400d5054a0c23f5
SHA174bd0fb71ffb36f8b8328969f1db3a815904127f
SHA25665ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315
SHA512ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc
-
C:\Users\Admin\AppData\Local\Temp\Picture.exeMD5
dbedce8e808899925400d5054a0c23f5
SHA174bd0fb71ffb36f8b8328969f1db3a815904127f
SHA25665ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315
SHA512ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc
-
C:\Users\Admin\AppData\Local\Temp\Picture.exeMD5
dbedce8e808899925400d5054a0c23f5
SHA174bd0fb71ffb36f8b8328969f1db3a815904127f
SHA25665ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315
SHA512ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc
-
C:\Users\Admin\AppData\Local\Temp\Picture.exeMD5
dbedce8e808899925400d5054a0c23f5
SHA174bd0fb71ffb36f8b8328969f1db3a815904127f
SHA25665ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315
SHA512ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc
-
memory/1172-148-0x0000000005100000-0x00000000055FE000-memory.dmpFilesize
5.0MB
-
memory/1172-142-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/1172-143-0x0000000005100000-0x00000000055FE000-memory.dmpFilesize
5.0MB
-
memory/1172-144-0x0000000005DF0000-0x0000000005DF1000-memory.dmpFilesize
4KB
-
memory/1172-134-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1172-135-0x000000000043770E-mapping.dmp
-
memory/1172-145-0x0000000005E80000-0x0000000005E81000-memory.dmpFilesize
4KB
-
memory/2044-121-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/2044-131-0x0000000004E40000-0x000000000533E000-memory.dmpFilesize
5.0MB
-
memory/2044-130-0x0000000008BA0000-0x0000000008BA1000-memory.dmpFilesize
4KB
-
memory/2044-129-0x00000000089A0000-0x0000000008A16000-memory.dmpFilesize
472KB
-
memory/2044-124-0x0000000006F40000-0x0000000006F41000-memory.dmpFilesize
4KB
-
memory/2044-123-0x0000000006E60000-0x0000000006EBB000-memory.dmpFilesize
364KB
-
memory/2044-122-0x0000000004E40000-0x000000000533E000-memory.dmpFilesize
5.0MB
-
memory/2044-114-0x0000000000000000-mapping.dmp
-
memory/2044-120-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2044-119-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/2044-117-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB