Analysis

  • max time kernel
    126s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    18-10-2021 21:16

General

  • Target

    Shipping Document PL&BL Draft.exe

  • Size

    277KB

  • MD5

    9e944f39542cf55c8cd0513307c507e3

  • SHA1

    5dc457b12d42e9a91ba4ef70bbbf35494399cef7

  • SHA256

    4a5d34fcda47700161c2fbc4ee64713e81e563d04e319b7a48e52d778e70e4b7

  • SHA512

    469a7478e8d0957ca8bceed0a0f8f6dc028c8ec78e87a9212288974cdf5f752845a6d547dd27649ae2d022226cd53b37d17e2e78c3847da2dc5c7a4c34ec95ef

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1900836728:AAEDyoYbBJwtt1EA4hdgRlGTN1cq760KPNU/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsi11.tmp\psonqtuo.dll

    MD5

    4e4a9b4272db28101d5e6cf7e7368602

    SHA1

    ddc50b6b2faf4ee923c097be2758f327b501792f

    SHA256

    4b3dd1a214d3b1cf8fa9b9cdcffa76fb1823411db3e0bffc6c5a0ac356466530

    SHA512

    120b86016789f37833e397155930c700e7fd3531d58a8e557691360bb2a1600fa5279099b1ce073a57139ffe157d9dc1d2037a5051eb38d5a0cab26ad5b88924

  • memory/672-56-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/672-57-0x000000000040188B-mapping.dmp

  • memory/672-59-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/672-60-0x0000000004480000-0x00000000044B6000-memory.dmp

    Filesize

    216KB

  • memory/672-63-0x0000000004542000-0x0000000004543000-memory.dmp

    Filesize

    4KB

  • memory/672-62-0x0000000004541000-0x0000000004542000-memory.dmp

    Filesize

    4KB

  • memory/672-64-0x0000000004543000-0x0000000004544000-memory.dmp

    Filesize

    4KB

  • memory/672-65-0x0000000004544000-0x0000000004545000-memory.dmp

    Filesize

    4KB

  • memory/1324-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

    Filesize

    8KB