Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 11:19
Static task
static1
Behavioral task
behavioral1
Sample
CMR-7146846_PDF.pif.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
CMR-7146846_PDF.pif.exe
Resource
win10-en-20210920
General
-
Target
CMR-7146846_PDF.pif.exe
-
Size
310KB
-
MD5
71028a6ec414b1642243aa4981a3365f
-
SHA1
630b016a94f7bee220565d3b9a55a2ae8ef73c5a
-
SHA256
167d1af8c8c4a185c34d0e65bab348748fb524f3e95c6136324f1e2d7e310918
-
SHA512
4c403091f4839867d7465e437f30eb3648a114ebf1e16cadbcd4a232f2c9b75fac1ef4d9b7081314eeabb33eb9579ce39373385f122c3104e7a7815c007b790a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.globalmedical.nl - Port:
587 - Username:
vic@globalmedical.nl - Password:
W3oxtsMvzRhJV&eBZoFabwZV
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4064-116-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/4064-117-0x000000000040188B-mapping.dmp family_agenttesla behavioral2/memory/4064-118-0x00000000006E0000-0x0000000000717000-memory.dmp family_agenttesla behavioral2/memory/4064-122-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
CMR-7146846_PDF.pif.exepid process 3084 CMR-7146846_PDF.pif.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
CMR-7146846_PDF.pif.exedescription pid process target process PID 3084 set thread context of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CMR-7146846_PDF.pif.exepid process 4064 CMR-7146846_PDF.pif.exe 4064 CMR-7146846_PDF.pif.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
CMR-7146846_PDF.pif.exepid process 4064 CMR-7146846_PDF.pif.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CMR-7146846_PDF.pif.exedescription pid process Token: SeDebugPrivilege 4064 CMR-7146846_PDF.pif.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
CMR-7146846_PDF.pif.exedescription pid process target process PID 3084 wrote to memory of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 3084 wrote to memory of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 3084 wrote to memory of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 3084 wrote to memory of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 3084 wrote to memory of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 3084 wrote to memory of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 3084 wrote to memory of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 3084 wrote to memory of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 3084 wrote to memory of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe PID 3084 wrote to memory of 4064 3084 CMR-7146846_PDF.pif.exe CMR-7146846_PDF.pif.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe"C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe"C:\Users\Admin\AppData\Local\Temp\CMR-7146846_PDF.pif.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso9215.tmp\agyko.dllMD5
7dc59f4707dae01d8bc589b5764fbd65
SHA153397fb4fce54937bf30764283934b6573fd63a9
SHA256d8f687ba9eea4e69aeaad9cccafd1ecc9be0b1b09c88ab8a4b5728aba666c903
SHA512f89321e0382ab5ca457f040a3f4d887cae047a5ca00efce4d8a6334e307b07d130788116c30bbd22ca94739fff17e19b2c221958f013de32eac4da86cbfc680e
-
memory/4064-116-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4064-117-0x000000000040188B-mapping.dmp
-
memory/4064-118-0x00000000006E0000-0x0000000000717000-memory.dmpFilesize
220KB
-
memory/4064-120-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/4064-121-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/4064-123-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/4064-122-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4064-124-0x00000000049B2000-0x00000000049B3000-memory.dmpFilesize
4KB
-
memory/4064-126-0x00000000049B4000-0x00000000049B5000-memory.dmpFilesize
4KB
-
memory/4064-125-0x00000000049B3000-0x00000000049B4000-memory.dmpFilesize
4KB
-
memory/4064-127-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/4064-128-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/4064-129-0x0000000005C20000-0x0000000005C21000-memory.dmpFilesize
4KB
-
memory/4064-130-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB