July Order 1 jpg.exe

General
Target

July Order 1 jpg.exe

Filesize

1MB

Completed

27-07-2021 17:14

Score
10 /10
MD5

6fc8a7966aa650e9bde3b05dbf553466

SHA1

3b4aa0d3612ba04d0ccd700912b7ba4d685e31d5

SHA256

76895d99680852f9ccb3bc6e2bd937bdd76da6dc16b1e6704e804be92f40c2e5

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.palletsolutions.ca

Port: 587

Username: eloglogs@palletsolutions.ca

Password: h~Q+QV.(M2?!

Signatures 12

Filter: none

Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/420-149-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/420-150-0x00000000004375EE-mapping.dmpfamily_agenttesla
  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Checks BIOS information in registry
    July Order 1 jpg.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionJuly Order 1 jpg.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionJuly Order 1 jpg.exe
  • Maps connected drives based on registry
    July Order 1 jpg.exe

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\EnumJuly Order 1 jpg.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0July Order 1 jpg.exe
  • Suspicious use of SetThreadContext
    July Order 1 jpg.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3212 set thread context of 4203212July Order 1 jpg.exeJuly Order 1 jpg.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    2396schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exepowershell.exeJuly Order 1 jpg.exeJuly Order 1 jpg.exepowershell.exe

    Reported IOCs

    pidprocess
    3456powershell.exe
    1936powershell.exe
    3456powershell.exe
    3212July Order 1 jpg.exe
    3212July Order 1 jpg.exe
    3212July Order 1 jpg.exe
    420July Order 1 jpg.exe
    420July Order 1 jpg.exe
    1936powershell.exe
    2256powershell.exe
    3456powershell.exe
    2256powershell.exe
    1936powershell.exe
    2256powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exeJuly Order 1 jpg.exeJuly Order 1 jpg.exepowershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3456powershell.exe
    Token: SeDebugPrivilege1936powershell.exe
    Token: SeDebugPrivilege3212July Order 1 jpg.exe
    Token: SeDebugPrivilege420July Order 1 jpg.exe
    Token: SeDebugPrivilege2256powershell.exe
  • Suspicious use of WriteProcessMemory
    July Order 1 jpg.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3212 wrote to memory of 34563212July Order 1 jpg.exepowershell.exe
    PID 3212 wrote to memory of 34563212July Order 1 jpg.exepowershell.exe
    PID 3212 wrote to memory of 34563212July Order 1 jpg.exepowershell.exe
    PID 3212 wrote to memory of 19363212July Order 1 jpg.exepowershell.exe
    PID 3212 wrote to memory of 19363212July Order 1 jpg.exepowershell.exe
    PID 3212 wrote to memory of 19363212July Order 1 jpg.exepowershell.exe
    PID 3212 wrote to memory of 23963212July Order 1 jpg.exeschtasks.exe
    PID 3212 wrote to memory of 23963212July Order 1 jpg.exeschtasks.exe
    PID 3212 wrote to memory of 23963212July Order 1 jpg.exeschtasks.exe
    PID 3212 wrote to memory of 22563212July Order 1 jpg.exepowershell.exe
    PID 3212 wrote to memory of 22563212July Order 1 jpg.exepowershell.exe
    PID 3212 wrote to memory of 22563212July Order 1 jpg.exepowershell.exe
    PID 3212 wrote to memory of 20403212July Order 1 jpg.exeJuly Order 1 jpg.exe
    PID 3212 wrote to memory of 20403212July Order 1 jpg.exeJuly Order 1 jpg.exe
    PID 3212 wrote to memory of 20403212July Order 1 jpg.exeJuly Order 1 jpg.exe
    PID 3212 wrote to memory of 4203212July Order 1 jpg.exeJuly Order 1 jpg.exe
    PID 3212 wrote to memory of 4203212July Order 1 jpg.exeJuly Order 1 jpg.exe
    PID 3212 wrote to memory of 4203212July Order 1 jpg.exeJuly Order 1 jpg.exe
    PID 3212 wrote to memory of 4203212July Order 1 jpg.exeJuly Order 1 jpg.exe
    PID 3212 wrote to memory of 4203212July Order 1 jpg.exeJuly Order 1 jpg.exe
    PID 3212 wrote to memory of 4203212July Order 1 jpg.exeJuly Order 1 jpg.exe
    PID 3212 wrote to memory of 4203212July Order 1 jpg.exeJuly Order 1 jpg.exe
    PID 3212 wrote to memory of 4203212July Order 1 jpg.exeJuly Order 1 jpg.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\July Order 1 jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\July Order 1 jpg.exe"
    Checks BIOS information in registry
    Maps connected drives based on registry
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\July Order 1 jpg.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3456
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FfcfgaVG.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FfcfgaVG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EEC.tmp"
      Creates scheduled task(s)
      PID:2396
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FfcfgaVG.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2256
    • C:\Users\Admin\AppData\Local\Temp\July Order 1 jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\July Order 1 jpg.exe"
      PID:2040
    • C:\Users\Admin\AppData\Local\Temp\July Order 1 jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\July Order 1 jpg.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:420
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                      MD5

                      1c19c16e21c97ed42d5beabc93391fc5

                      SHA1

                      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

                      SHA256

                      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

                      SHA512

                      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      MD5

                      1db94f0f524ff4b67931a56e17da1280

                      SHA1

                      cfe11a304ca7e71055248ce50f4389325b2475e3

                      SHA256

                      c37242955e8bb052c92a8c428a3e3b365488ae4a0c59545ab3993f17e115ad9d

                      SHA512

                      f8739c3e6cb1ee92874ba3630f165d55d8783b76892f635c39f3485c75168e29abb471ff493ed8d1d08554e8fab61c33c7b608a680e15660a0b49a6a2ddc468b

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      MD5

                      d87291c854fcb99b7e33cab14aeea675

                      SHA1

                      5acf81d7fd7fbcf205b16a8ec12fee9be7a4fe86

                      SHA256

                      b7ded7e953754e7c4ff9cced04b035dc886aeb2e0f8abc3991cfa8da5678b81b

                      SHA512

                      30028f6087beb18859fde3734903cbb7af448cb64ff2c86d6e7c36696a8ea18e236544c64cfe84b5ba03ba2e4995b555563c4a678f8b53b2760226e44ca0f75b

                    • C:\Users\Admin\AppData\Local\Temp\tmp4EEC.tmp

                      MD5

                      607b84fab3f4e602336074b4bcbd321a

                      SHA1

                      9877753e2b851b43d2bfdc57eaf219cf825f317a

                      SHA256

                      c664f6bfdd1e1e04ec0a4dddca540c67520eb020c634b0cf184f325ca663f0de

                      SHA512

                      43568c9cc2b36da4349aa5b9672e49666ef14468995c64cd6230c670d4b776390d3cd77eda00fa221c0ecceac891522f92754df6ad7e98c0b01e368f21514941

                    • memory/420-150-0x00000000004375EE-mapping.dmp

                    • memory/420-160-0x0000000005650000-0x0000000005B4E000-memory.dmp

                    • memory/420-149-0x0000000000400000-0x000000000043C000-memory.dmp

                    • memory/1936-134-0x0000000000000000-mapping.dmp

                    • memory/1936-157-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

                    • memory/1936-159-0x0000000004EB2000-0x0000000004EB3000-memory.dmp

                    • memory/1936-214-0x000000007EC70000-0x000000007EC71000-memory.dmp

                    • memory/1936-251-0x0000000004EB3000-0x0000000004EB4000-memory.dmp

                    • memory/2256-165-0x00000000047A2000-0x00000000047A3000-memory.dmp

                    • memory/2256-148-0x0000000000000000-mapping.dmp

                    • memory/2256-303-0x00000000047A3000-0x00000000047A4000-memory.dmp

                    • memory/2256-256-0x000000007EC10000-0x000000007EC11000-memory.dmp

                    • memory/2256-163-0x00000000047A0000-0x00000000047A1000-memory.dmp

                    • memory/2396-136-0x0000000000000000-mapping.dmp

                    • memory/3212-119-0x0000000004E80000-0x0000000004E81000-memory.dmp

                    • memory/3212-118-0x0000000004F10000-0x0000000004F11000-memory.dmp

                    • memory/3212-126-0x00000000095D0000-0x00000000095D1000-memory.dmp

                    • memory/3212-124-0x0000000005270000-0x00000000052A9000-memory.dmp

                    • memory/3212-123-0x00000000094E0000-0x000000000955D000-memory.dmp

                    • memory/3212-122-0x0000000004860000-0x0000000004871000-memory.dmp

                    • memory/3212-117-0x0000000005410000-0x0000000005411000-memory.dmp

                    • memory/3212-116-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

                    • memory/3212-120-0x00000000050D0000-0x00000000050D1000-memory.dmp

                    • memory/3212-121-0x0000000004F10000-0x000000000540E000-memory.dmp

                    • memory/3212-114-0x00000000004C0000-0x00000000004C1000-memory.dmp

                    • memory/3456-135-0x0000000007500000-0x0000000007501000-memory.dmp

                    • memory/3456-154-0x00000000088C0000-0x00000000088C1000-memory.dmp

                    • memory/3456-151-0x0000000007C00000-0x0000000007C01000-memory.dmp

                    • memory/3456-167-0x0000000008630000-0x0000000008631000-memory.dmp

                    • memory/3456-188-0x00000000095C0000-0x00000000095F3000-memory.dmp

                    • memory/3456-201-0x00000000095A0000-0x00000000095A1000-memory.dmp

                    • memory/3456-212-0x0000000009600000-0x0000000009601000-memory.dmp

                    • memory/3456-138-0x0000000007F90000-0x0000000007F91000-memory.dmp

                    • memory/3456-211-0x000000007E690000-0x000000007E691000-memory.dmp

                    • memory/3456-221-0x0000000009900000-0x0000000009901000-memory.dmp

                    • memory/3456-248-0x0000000004B73000-0x0000000004B74000-memory.dmp

                    • memory/3456-125-0x0000000000000000-mapping.dmp

                    • memory/3456-133-0x0000000007460000-0x0000000007461000-memory.dmp

                    • memory/3456-131-0x0000000004B70000-0x0000000004B71000-memory.dmp

                    • memory/3456-132-0x0000000004B72000-0x0000000004B73000-memory.dmp

                    • memory/3456-130-0x00000000075A0000-0x00000000075A1000-memory.dmp

                    • memory/3456-129-0x0000000004B10000-0x0000000004B11000-memory.dmp