Analysis
-
max time kernel
101s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 13:07
Static task
static1
Behavioral task
behavioral1
Sample
offer Order And Shipping Details.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
offer Order And Shipping Details.exe
Resource
win10-en-20210920
General
-
Target
offer Order And Shipping Details.exe
-
Size
973KB
-
MD5
e541ccd346efda9a73ca77705c0f593b
-
SHA1
e7b586668604ad4db47455bf0fff086aeb0cad60
-
SHA256
336c8f08437e02813b6f5c4a9e61f6b22f93fb28b014532dfe48b5a1707f6cce
-
SHA512
a93b96a24188a2644e48df906f4e9780eb22bc13ecab7722dfb50a8a1c47ace547b34fd8ff1388c7dff99f1675c434da434c22c90ae5fcc90d37d59d0adf9134
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.thts.vn - Port:
587 - Username:
[email protected] - Password:
123luongngan1989
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1392-121-0x0000000000B60000-0x00000000011DA000-memory.dmp family_agenttesla behavioral2/memory/1392-122-0x0000000000B96A2E-mapping.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
mvrjfdln.pifpid process 1316 mvrjfdln.pif -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mvrjfdln.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mvrjfdln.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\37934803\\mvrjfdln.pif C:\\Users\\Admin\\37934803\\ihuaoe.uqp" mvrjfdln.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mvrjfdln.pifdescription pid process target process PID 1316 set thread context of 1392 1316 mvrjfdln.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegSvcs.exepid process 1392 RegSvcs.exe 1392 RegSvcs.exe 1392 RegSvcs.exe 1392 RegSvcs.exe 1392 RegSvcs.exe 1392 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1392 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1392 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
offer Order And Shipping Details.exemvrjfdln.pifdescription pid process target process PID 2056 wrote to memory of 1316 2056 offer Order And Shipping Details.exe mvrjfdln.pif PID 2056 wrote to memory of 1316 2056 offer Order And Shipping Details.exe mvrjfdln.pif PID 2056 wrote to memory of 1316 2056 offer Order And Shipping Details.exe mvrjfdln.pif PID 1316 wrote to memory of 1392 1316 mvrjfdln.pif RegSvcs.exe PID 1316 wrote to memory of 1392 1316 mvrjfdln.pif RegSvcs.exe PID 1316 wrote to memory of 1392 1316 mvrjfdln.pif RegSvcs.exe PID 1316 wrote to memory of 1392 1316 mvrjfdln.pif RegSvcs.exe PID 1316 wrote to memory of 1392 1316 mvrjfdln.pif RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\offer Order And Shipping Details.exe"C:\Users\Admin\AppData\Local\Temp\offer Order And Shipping Details.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\37934803\mvrjfdln.pif"C:\Users\Admin\37934803\mvrjfdln.pif" ihuaoe.uqp2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\37934803\digxa.docxMD5
45be95822e185a068b08546b4318db70
SHA17ec0747159a07f3ae319a97b04b516cb707c63e3
SHA25676982e3df1559ff6d4d75424b072bf5d1e4687b55060db0c43b59513807d9d62
SHA51295422c42c375d184d834d82bd4ab08a6b12ee4c2e19cf89d33bb3a8e8b96517d09f02dcccc7c37cb4025bb84dca3b1bba037d3c5b317f4b51e48737f0be9b7f3
-
C:\Users\Admin\37934803\gwbpq.nerMD5
6dd637838270f9f81e5bbad2cabdc1f5
SHA165468a684f5ea5f428fffdd6f6b188e4a616f1c7
SHA256ec068aa46b1d61290af614f355324bc03ea57976af3a85b90d68fe3eefd412f8
SHA51209b96eab0cd7d12c9cfb7eae0b7b19c0c7ae36208ea1554f484438223280634a54ae07fac1b411d2df18499e4a377bdb319059edf223c44153b13fe328e0b814
-
C:\Users\Admin\37934803\ihuaoe.uqpMD5
7af3c2fe0522abd3fea696930e3ff740
SHA18c6364ccea6503e709f8504a80f1f5a7fca5655b
SHA2569f06a9550ab18438576095dea0a77ce022577d2cec042277328bec1fd50d319b
SHA51293d273391e308e63ea9c5185ae7cf0cbf65167ec2c33b8ff07be5530bff4ba54c2cbaef5a936f7616f6d8d249c77c91ca19bb80ecaf0abbdabb558180a63aac3
-
C:\Users\Admin\37934803\mvrjfdln.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
C:\Users\Admin\37934803\mvrjfdln.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
memory/1316-115-0x0000000000000000-mapping.dmp
-
memory/1392-121-0x0000000000B60000-0x00000000011DA000-memory.dmpFilesize
6.5MB
-
memory/1392-122-0x0000000000B96A2E-mapping.dmp
-
memory/1392-125-0x0000000005DC0000-0x0000000005DC1000-memory.dmpFilesize
4KB
-
memory/1392-126-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/1392-127-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/1392-128-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/1392-129-0x0000000006520000-0x0000000006521000-memory.dmpFilesize
4KB
-
memory/1392-130-0x0000000006BF0000-0x0000000006BF1000-memory.dmpFilesize
4KB
-
memory/1392-131-0x0000000006750000-0x0000000006751000-memory.dmpFilesize
4KB