Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 21:59
Static task
static1
Behavioral task
behavioral1
Sample
DETAILS PROFORMA BANKING_____________pdf_____________.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
DETAILS PROFORMA BANKING_____________pdf_____________.exe
Resource
win10-en-20211014
General
-
Target
DETAILS PROFORMA BANKING_____________pdf_____________.exe
-
Size
464KB
-
MD5
698d250ff08f3121dc1652384430f942
-
SHA1
e4e9829b91795d7908ea8967f065c1c36bb553a1
-
SHA256
498156982ed9aecacb9a26f6bb4842752c1ad265ab662c25893f5e8e0eebf277
-
SHA512
c5d0d567638f67063f41dada5689fa6aa66af408f2103a48a06daf0179682cec40a6e3bcfc08ec9e96d1253cdd34fb1d71fc1e2e4c47266e20e2d93dc102f95f
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1744-55-0x0000000000400000-0x000000000044B000-memory.dmp family_agenttesla behavioral1/memory/1744-56-0x000000000040188B-mapping.dmp family_agenttesla behavioral1/memory/1744-58-0x0000000000400000-0x000000000044B000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
DETAILS PROFORMA BANKING_____________pdf_____________.exepid process 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DETAILS PROFORMA BANKING_____________pdf_____________.exedescription pid process target process PID 1424 set thread context of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DETAILS PROFORMA BANKING_____________pdf_____________.exepid process 1744 DETAILS PROFORMA BANKING_____________pdf_____________.exe 1744 DETAILS PROFORMA BANKING_____________pdf_____________.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 1360 dw20.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DETAILS PROFORMA BANKING_____________pdf_____________.exedescription pid process Token: SeDebugPrivilege 1744 DETAILS PROFORMA BANKING_____________pdf_____________.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DETAILS PROFORMA BANKING_____________pdf_____________.exeDETAILS PROFORMA BANKING_____________pdf_____________.exedescription pid process target process PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1424 wrote to memory of 1744 1424 DETAILS PROFORMA BANKING_____________pdf_____________.exe DETAILS PROFORMA BANKING_____________pdf_____________.exe PID 1744 wrote to memory of 1360 1744 DETAILS PROFORMA BANKING_____________pdf_____________.exe dw20.exe PID 1744 wrote to memory of 1360 1744 DETAILS PROFORMA BANKING_____________pdf_____________.exe dw20.exe PID 1744 wrote to memory of 1360 1744 DETAILS PROFORMA BANKING_____________pdf_____________.exe dw20.exe PID 1744 wrote to memory of 1360 1744 DETAILS PROFORMA BANKING_____________pdf_____________.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe"C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe"C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5083⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstB77E.tmp\ibmbeute.dllMD5
4b00a8fede03377e8ec902ead69358e4
SHA1a916daab58c19f2e7bb0f37f18ceba58521ac7e8
SHA2564fc85337cd5783bd1aa5056ee9c6b3099db05812b32f467696b23aaff3683c36
SHA512aece6578422664e59a85db578748efed150cdd079f7e0e7fda1ae715e1396b2536a436edb0929c979c356b4069ec2675a8a1c417fcec20ce2314d45a98fe761f
-
memory/1360-64-0x0000000000000000-mapping.dmp
-
memory/1360-66-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/1424-53-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/1744-55-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1744-56-0x000000000040188B-mapping.dmp
-
memory/1744-59-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1744-58-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1744-60-0x0000000000231000-0x0000000000232000-memory.dmpFilesize
4KB
-
memory/1744-62-0x0000000000237000-0x0000000000238000-memory.dmpFilesize
4KB
-
memory/1744-61-0x0000000000232000-0x0000000000234000-memory.dmpFilesize
8KB
-
memory/1744-63-0x0000000000238000-0x0000000000239000-memory.dmpFilesize
4KB