Purchase Order PO5351.exe

General
Target

Purchase Order PO5351.exe

Filesize

355KB

Completed

14-10-2021 05:28

Score
10 /10
MD5

583ae888adbd5a79d055fbd414cc403b

SHA1

02fe0acb2796c2be544cee6cde690071e3cbfced

SHA256

e2ef34d6833b50a6bb0c28e94c5f1f0c7454d13b41c14b5b5a8de2a84f8a8771

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.appalliser.com

Port: 587

Username: newwork1@appalliser.com

Password: !%RvA^hkLSn&

Signatures 14

Filter: none

Collection
Credential Access
Discovery
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2836-115-0x0000000000400000-0x000000000044C000-memory.dmpfamily_agenttesla
    behavioral2/memory/2836-116-0x000000000040188B-mapping.dmpfamily_agenttesla
    behavioral2/memory/2836-117-0x0000000000400000-0x000000000044C000-memory.dmpfamily_agenttesla
    behavioral2/memory/2836-118-0x0000000002180000-0x00000000021B7000-memory.dmpfamily_agenttesla
  • Loads dropped DLL
    Purchase Order PO5351.exe

    Reported IOCs

    pidprocess
    856Purchase Order PO5351.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles
    Purchase Order PO5351.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Purchase Order PO5351.exe
    Key opened\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Purchase Order PO5351.exe
    Key opened\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Purchase Order PO5351.exe
  • Suspicious use of SetThreadContext
    Purchase Order PO5351.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 856 set thread context of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    Purchase Order PO5351.exe

    Reported IOCs

    pidprocess
    2836Purchase Order PO5351.exe
    2836Purchase Order PO5351.exe
  • Suspicious use of AdjustPrivilegeToken
    Purchase Order PO5351.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2836Purchase Order PO5351.exe
  • Suspicious use of WriteProcessMemory
    Purchase Order PO5351.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 856 wrote to memory of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
    PID 856 wrote to memory of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
    PID 856 wrote to memory of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
    PID 856 wrote to memory of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
    PID 856 wrote to memory of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
    PID 856 wrote to memory of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
    PID 856 wrote to memory of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
    PID 856 wrote to memory of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
    PID 856 wrote to memory of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
    PID 856 wrote to memory of 2836856Purchase Order PO5351.exePurchase Order PO5351.exe
  • outlook_office_path
    Purchase Order PO5351.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Purchase Order PO5351.exe
  • outlook_win_path
    Purchase Order PO5351.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Purchase Order PO5351.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe"
    Loads dropped DLL
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe"
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2836
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • \Users\Admin\AppData\Local\Temp\nsn8071.tmp\gqdtoh.dll

                      MD5

                      5a58f937df449de296b78bff64cdd730

                      SHA1

                      a62509aa4d31ddb12a3dc881fb029d575b77484d

                      SHA256

                      59080307e0cfb01fe407d6f08347f540f3f0b42764b46c65c6571ff186ace7c7

                      SHA512

                      bdcafa07ace4802845fd06bf203a4c393f211635e3a8f2b7fd2af3df0667318f90b7db2563ca2838a510d72253d3b8f797d7491ba9fa1ad632d3dc274fa81d07

                    • memory/2836-122-0x0000000004983000-0x0000000004984000-memory.dmp

                    • memory/2836-116-0x000000000040188B-mapping.dmp

                    • memory/2836-117-0x0000000000400000-0x000000000044C000-memory.dmp

                    • memory/2836-118-0x0000000002180000-0x00000000021B7000-memory.dmp

                    • memory/2836-121-0x0000000004982000-0x0000000004983000-memory.dmp

                    • memory/2836-120-0x0000000004980000-0x0000000004981000-memory.dmp

                    • memory/2836-115-0x0000000000400000-0x000000000044C000-memory.dmp

                    • memory/2836-123-0x0000000004990000-0x0000000004991000-memory.dmp

                    • memory/2836-124-0x0000000004E90000-0x0000000004E91000-memory.dmp

                    • memory/2836-125-0x0000000004984000-0x0000000004985000-memory.dmp

                    • memory/2836-126-0x00000000057B0000-0x00000000057B1000-memory.dmp

                    • memory/2836-127-0x00000000057E0000-0x00000000057E1000-memory.dmp

                    • memory/2836-128-0x0000000005A90000-0x0000000005A91000-memory.dmp

                    • memory/2836-129-0x00000000008F0000-0x00000000008F1000-memory.dmp