Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-07-2021 05:49
Static task
static1
Behavioral task
behavioral1
Sample
Martina Order_pdf.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Martina Order_pdf.exe
Resource
win10v20210410
General
-
Target
Martina Order_pdf.exe
-
Size
611KB
-
MD5
91647ee9941ad4d5027fc5b5f1ac7217
-
SHA1
16183d5e931d537730f4f661a951bab6d1f3a2df
-
SHA256
c809a7c8a779f3667caad5da5424fd84c42793cd98dc5531d6d06b9181191942
-
SHA512
53d1214bd25ce8b39d400faa0689933f3b1b2b64198c75f9ad65a550003128c7ca90a07cd5c13cc19a8e5d0fe09fa11f5da6e0abd774421809e90fdf769ca911
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mohhg.com - Port:
587 - Username:
[email protected] - Password:
r:1{cNw4}vJc
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3116-117-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3116-118-0x000000000043736E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Martina Order_pdf.exedescription pid process target process PID 1808 set thread context of 3116 1808 Martina Order_pdf.exe Martina Order_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Martina Order_pdf.exeMartina Order_pdf.exepid process 1808 Martina Order_pdf.exe 3116 Martina Order_pdf.exe 3116 Martina Order_pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Martina Order_pdf.exeMartina Order_pdf.exedescription pid process Token: SeDebugPrivilege 1808 Martina Order_pdf.exe Token: SeDebugPrivilege 3116 Martina Order_pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Martina Order_pdf.exedescription pid process target process PID 1808 wrote to memory of 8 1808 Martina Order_pdf.exe schtasks.exe PID 1808 wrote to memory of 8 1808 Martina Order_pdf.exe schtasks.exe PID 1808 wrote to memory of 8 1808 Martina Order_pdf.exe schtasks.exe PID 1808 wrote to memory of 3116 1808 Martina Order_pdf.exe Martina Order_pdf.exe PID 1808 wrote to memory of 3116 1808 Martina Order_pdf.exe Martina Order_pdf.exe PID 1808 wrote to memory of 3116 1808 Martina Order_pdf.exe Martina Order_pdf.exe PID 1808 wrote to memory of 3116 1808 Martina Order_pdf.exe Martina Order_pdf.exe PID 1808 wrote to memory of 3116 1808 Martina Order_pdf.exe Martina Order_pdf.exe PID 1808 wrote to memory of 3116 1808 Martina Order_pdf.exe Martina Order_pdf.exe PID 1808 wrote to memory of 3116 1808 Martina Order_pdf.exe Martina Order_pdf.exe PID 1808 wrote to memory of 3116 1808 Martina Order_pdf.exe Martina Order_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Martina Order_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Martina Order_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XehVlvKKN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4BD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Martina Order_pdf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Martina Order_pdf.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
C:\Users\Admin\AppData\Local\Temp\tmpC4BD.tmpMD5
e59cce9c451412c920346ef20a4d9b94
SHA146e0669d54ca588f82b016c957606b0734f62ed2
SHA256999022aafc2bc300da7273847ea358f4a3042fc956cd7cbedcc84d5057f1f6a2
SHA512a0b1adef349ea91d54f7064901c6008dc70e989b0b30cea917e29d39a17d476a6b6dff39fcfeafad14d6ddd3e5efb9841391f8370672217d4ea63d6e96bf7de1
-
memory/8-115-0x0000000000000000-mapping.dmp
-
memory/1808-114-0x0000000001110000-0x0000000001111000-memory.dmpFilesize
4KB
-
memory/3116-117-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3116-118-0x000000000043736E-mapping.dmp
-
memory/3116-120-0x0000000002F00000-0x0000000002F01000-memory.dmpFilesize
4KB
-
memory/3116-121-0x0000000002F01000-0x0000000002F02000-memory.dmpFilesize
4KB
-
memory/3116-122-0x0000000002F02000-0x0000000002F03000-memory.dmpFilesize
4KB