Picture.exe

General
Target

Picture.exe

Filesize

918KB

Completed

27-07-2021 17:17

Score
10 /10
MD5

cf43b0fc3cf4393bb542bd212a1af029

SHA1

44ff1cbf0831d6176bd6e98a46f354800e9d09d0

SHA256

5d7566ee48f7c1525a1d0e5cf2e5463929d7ad9fe55519acec2a4fcb19507f7e

Malware Config

Extracted

Family agenttesla
C2

https://api.telegram.org/bot1802838691:AAHG-LDFE4ym6sqdeNCoNwT9JyuuNVsehko/sendDocument

Signatures 16

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Modifies system executable filetype association
    Picture.exe

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"Picture.exe
  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1172-135-0x000000000043770E-mapping.dmpfamily_agenttesla
    behavioral2/memory/1172-134-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/1172-143-0x0000000005100000-0x00000000055FE000-memory.dmpfamily_agenttesla
  • Executes dropped EXE
    Picture.exePicture.exePicture.exePicture.exe

    Reported IOCs

    pidprocess
    2044Picture.exe
    3156Picture.exe
    1504Picture.exe
    1172Picture.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    Picture.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\iservice.exe = "C:\\Users\\Admin\\AppData\\Roaming\\iservice.exe\\iservice.exe.exe"Picture.exe
  • Suspicious use of SetThreadContext
    Picture.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2044 set thread context of 11722044Picture.exePicture.exe
  • Drops file in Program Files directory
    Picture.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exePicture.exe
    File opened for modificationC:\PROGRA~2\Google\Temp\GUM1CBD.tmp\GOFB2B~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.exePicture.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmprph.exePicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exePicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\WI8A19~1\ImagingDevices.exePicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exePicture.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpconfig.exePicture.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exePicture.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exePicture.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exePicture.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\setup_wm.exePicture.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpshare.exePicture.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\wab.exePicture.exe
    File opened for modificationC:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exePicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exePicture.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Google\Update\DISABL~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ExtExport.exePicture.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exePicture.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\iexplore.exePicture.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\UNINST~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\wabmig.exePicture.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\WinMail.exePicture.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ielowutil.exePicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exePicture.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exePicture.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.exePicture.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\MAINTE~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.exePicture.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEPicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exePicture.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exePicture.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEPicture.exe
  • Drops file in Windows directory
    Picture.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comPicture.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies registry class
    Picture.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"Picture.exe
  • Suspicious behavior: EnumeratesProcesses
    Picture.exePicture.exe

    Reported IOCs

    pidprocess
    2044Picture.exe
    2044Picture.exe
    2044Picture.exe
    2044Picture.exe
    2044Picture.exe
    2044Picture.exe
    2044Picture.exe
    2044Picture.exe
    2044Picture.exe
    2044Picture.exe
    1172Picture.exe
    1172Picture.exe
  • Suspicious use of AdjustPrivilegeToken
    Picture.exePicture.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2044Picture.exe
    Token: SeDebugPrivilege1172Picture.exe
  • Suspicious use of WriteProcessMemory
    Picture.exePicture.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3212 wrote to memory of 20443212Picture.exePicture.exe
    PID 3212 wrote to memory of 20443212Picture.exePicture.exe
    PID 3212 wrote to memory of 20443212Picture.exePicture.exe
    PID 2044 wrote to memory of 31562044Picture.exePicture.exe
    PID 2044 wrote to memory of 31562044Picture.exePicture.exe
    PID 2044 wrote to memory of 31562044Picture.exePicture.exe
    PID 2044 wrote to memory of 15042044Picture.exePicture.exe
    PID 2044 wrote to memory of 15042044Picture.exePicture.exe
    PID 2044 wrote to memory of 15042044Picture.exePicture.exe
    PID 2044 wrote to memory of 11722044Picture.exePicture.exe
    PID 2044 wrote to memory of 11722044Picture.exePicture.exe
    PID 2044 wrote to memory of 11722044Picture.exePicture.exe
    PID 2044 wrote to memory of 11722044Picture.exePicture.exe
    PID 2044 wrote to memory of 11722044Picture.exePicture.exe
    PID 2044 wrote to memory of 11722044Picture.exePicture.exe
    PID 2044 wrote to memory of 11722044Picture.exePicture.exe
    PID 2044 wrote to memory of 11722044Picture.exePicture.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\Picture.exe
    "C:\Users\Admin\AppData\Local\Temp\Picture.exe"
    Modifies system executable filetype association
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Local\Temp\3582-490\Picture.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\Picture.exe"
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Users\Admin\AppData\Local\Temp\Picture.exe
        C:\Users\Admin\AppData\Local\Temp\Picture.exe
        Executes dropped EXE
        PID:3156
      • C:\Users\Admin\AppData\Local\Temp\Picture.exe
        C:\Users\Admin\AppData\Local\Temp\Picture.exe
        Executes dropped EXE
        PID:1504
      • C:\Users\Admin\AppData\Local\Temp\Picture.exe
        C:\Users\Admin\AppData\Local\Temp\Picture.exe
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:1172
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Picture.exe.log

                  MD5

                  4a30a8132195c1aa1a62b78676b178d9

                  SHA1

                  506e6d99a2ba08c9d3553af30daaaa0fc46ae4be

                  SHA256

                  71636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20

                  SHA512

                  3272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09

                • C:\Users\Admin\AppData\Local\Temp\3582-490\Picture.exe

                  MD5

                  dbedce8e808899925400d5054a0c23f5

                  SHA1

                  74bd0fb71ffb36f8b8328969f1db3a815904127f

                  SHA256

                  65ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315

                  SHA512

                  ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc

                • C:\Users\Admin\AppData\Local\Temp\3582-490\Picture.exe

                  MD5

                  dbedce8e808899925400d5054a0c23f5

                  SHA1

                  74bd0fb71ffb36f8b8328969f1db3a815904127f

                  SHA256

                  65ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315

                  SHA512

                  ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc

                • C:\Users\Admin\AppData\Local\Temp\Picture.exe

                  MD5

                  dbedce8e808899925400d5054a0c23f5

                  SHA1

                  74bd0fb71ffb36f8b8328969f1db3a815904127f

                  SHA256

                  65ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315

                  SHA512

                  ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc

                • C:\Users\Admin\AppData\Local\Temp\Picture.exe

                  MD5

                  dbedce8e808899925400d5054a0c23f5

                  SHA1

                  74bd0fb71ffb36f8b8328969f1db3a815904127f

                  SHA256

                  65ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315

                  SHA512

                  ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc

                • C:\Users\Admin\AppData\Local\Temp\Picture.exe

                  MD5

                  dbedce8e808899925400d5054a0c23f5

                  SHA1

                  74bd0fb71ffb36f8b8328969f1db3a815904127f

                  SHA256

                  65ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315

                  SHA512

                  ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc

                • C:\Users\Admin\AppData\Local\Temp\Picture.exe

                  MD5

                  dbedce8e808899925400d5054a0c23f5

                  SHA1

                  74bd0fb71ffb36f8b8328969f1db3a815904127f

                  SHA256

                  65ad5de571c458b30af37b85e2201a843c3e35ee90e358fa04e6b90fefe2e315

                  SHA512

                  ed6c86e9ae609088f3498b0fb07736234257d74d3f15b28f54beac8d90a1ca0014ce40c44958f92def621d6da176786be359029f9f2b898092228b0b55fc47dc

                • memory/1172-144-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

                • memory/1172-143-0x0000000005100000-0x00000000055FE000-memory.dmp

                • memory/1172-142-0x00000000052E0000-0x00000000052E1000-memory.dmp

                • memory/1172-134-0x0000000000400000-0x000000000043C000-memory.dmp

                • memory/1172-135-0x000000000043770E-mapping.dmp

                • memory/1172-148-0x0000000005100000-0x00000000055FE000-memory.dmp

                • memory/1172-145-0x0000000005E80000-0x0000000005E81000-memory.dmp

                • memory/2044-131-0x0000000004E40000-0x000000000533E000-memory.dmp

                • memory/2044-130-0x0000000008BA0000-0x0000000008BA1000-memory.dmp

                • memory/2044-129-0x00000000089A0000-0x0000000008A16000-memory.dmp

                • memory/2044-124-0x0000000006F40000-0x0000000006F41000-memory.dmp

                • memory/2044-123-0x0000000006E60000-0x0000000006EBB000-memory.dmp

                • memory/2044-122-0x0000000004E40000-0x000000000533E000-memory.dmp

                • memory/2044-121-0x0000000004E70000-0x0000000004E71000-memory.dmp

                • memory/2044-120-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

                • memory/2044-119-0x0000000005340000-0x0000000005341000-memory.dmp

                • memory/2044-117-0x0000000000550000-0x0000000000551000-memory.dmp

                • memory/2044-114-0x0000000000000000-mapping.dmp