Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 05:26
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order PO5351.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Purchase Order PO5351.exe
Resource
win10v20210408
General
-
Target
Purchase Order PO5351.exe
-
Size
355KB
-
MD5
583ae888adbd5a79d055fbd414cc403b
-
SHA1
02fe0acb2796c2be544cee6cde690071e3cbfced
-
SHA256
e2ef34d6833b50a6bb0c28e94c5f1f0c7454d13b41c14b5b5a8de2a84f8a8771
-
SHA512
6d584518b741a225f887d8bacc621ae0461b3ada7781fdba51a2cdcd717c3869bafc9d06da88c22b3530341032676057c5747afb3be9187844bb3f2293f37060
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.appalliser.com - Port:
587 - Username:
newwork1@appalliser.com - Password:
!%RvA^hkLSn&
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/740-56-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/740-57-0x000000000040188B-mapping.dmp family_agenttesla behavioral1/memory/740-59-0x0000000000840000-0x0000000000877000-memory.dmp family_agenttesla behavioral1/memory/740-61-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
Purchase Order PO5351.exepid process 1324 Purchase Order PO5351.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Purchase Order PO5351.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order PO5351.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order PO5351.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order PO5351.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order PO5351.exedescription pid process target process PID 1324 set thread context of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Purchase Order PO5351.exepid process 740 Purchase Order PO5351.exe 740 Purchase Order PO5351.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Purchase Order PO5351.exedescription pid process Token: SeDebugPrivilege 740 Purchase Order PO5351.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Purchase Order PO5351.exedescription pid process target process PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe PID 1324 wrote to memory of 740 1324 Purchase Order PO5351.exe Purchase Order PO5351.exe -
outlook_office_path 1 IoCs
Processes:
Purchase Order PO5351.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order PO5351.exe -
outlook_win_path 1 IoCs
Processes:
Purchase Order PO5351.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order PO5351.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstB3D6.tmp\gqdtoh.dllMD5
5a58f937df449de296b78bff64cdd730
SHA1a62509aa4d31ddb12a3dc881fb029d575b77484d
SHA25659080307e0cfb01fe407d6f08347f540f3f0b42764b46c65c6571ff186ace7c7
SHA512bdcafa07ace4802845fd06bf203a4c393f211635e3a8f2b7fd2af3df0667318f90b7db2563ca2838a510d72253d3b8f797d7491ba9fa1ad632d3dc274fa81d07
-
memory/740-56-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/740-57-0x000000000040188B-mapping.dmp
-
memory/740-59-0x0000000000840000-0x0000000000877000-memory.dmpFilesize
220KB
-
memory/740-62-0x00000000045F1000-0x00000000045F2000-memory.dmpFilesize
4KB
-
memory/740-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/740-63-0x00000000045F2000-0x00000000045F3000-memory.dmpFilesize
4KB
-
memory/740-64-0x00000000045F3000-0x00000000045F4000-memory.dmpFilesize
4KB
-
memory/740-65-0x00000000045F4000-0x00000000045F5000-memory.dmpFilesize
4KB
-
memory/1324-54-0x0000000075661000-0x0000000075663000-memory.dmpFilesize
8KB