Analysis
-
max time kernel
125s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 11:08
Static task
static1
Behavioral task
behavioral1
Sample
Ödeme kopyası.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Ödeme kopyası.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
Ödeme kopyası.exe
-
Size
436KB
-
MD5
eac421737ef2cf033f7399607f34d946
-
SHA1
c6e9b4c0763232456442a64ed2ceaf2d23507a38
-
SHA256
9a95d7fb967f170e7ab4a627dd7d6a3434f459af5920677fe9ee302751cad91f
-
SHA512
1d5cc4a66c0dfcde58e700335f55ea9d4a01baa8114a8d8aec500dda3945bee6b4a5f7beccdac05bfdfd9120277c9d16a8820176a8294bace8259e9f078e547e
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.tccinfaes.com - Port:
587 - Username:
[email protected] - Password:
TccBps1427log
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2696-124-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2696-125-0x000000000043763E-mapping.dmp family_agenttesla behavioral2/memory/2696-130-0x0000000005580000-0x0000000005A7E000-memory.dmp family_agenttesla behavioral2/memory/2696-135-0x0000000005580000-0x0000000005A7E000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ödeme kopyası.exedescription pid process target process PID 2072 set thread context of 2696 2072 Ödeme kopyası.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2696 RegSvcs.exe 2696 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2696 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Ödeme kopyası.exedescription pid process target process PID 2072 wrote to memory of 2696 2072 Ödeme kopyası.exe RegSvcs.exe PID 2072 wrote to memory of 2696 2072 Ödeme kopyası.exe RegSvcs.exe PID 2072 wrote to memory of 2696 2072 Ödeme kopyası.exe RegSvcs.exe PID 2072 wrote to memory of 2696 2072 Ödeme kopyası.exe RegSvcs.exe PID 2072 wrote to memory of 2696 2072 Ödeme kopyası.exe RegSvcs.exe PID 2072 wrote to memory of 2696 2072 Ödeme kopyası.exe RegSvcs.exe PID 2072 wrote to memory of 2696 2072 Ödeme kopyası.exe RegSvcs.exe PID 2072 wrote to memory of 2696 2072 Ödeme kopyası.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.exe"C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2072-115-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/2072-117-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/2072-118-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/2072-119-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/2072-120-0x0000000005160000-0x00000000051F2000-memory.dmpFilesize
584KB
-
memory/2072-121-0x0000000007030000-0x0000000007037000-memory.dmpFilesize
28KB
-
memory/2072-122-0x00000000088F0000-0x00000000088F1000-memory.dmpFilesize
4KB
-
memory/2072-123-0x0000000008A90000-0x0000000008AE8000-memory.dmpFilesize
352KB
-
memory/2696-124-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2696-125-0x000000000043763E-mapping.dmp
-
memory/2696-130-0x0000000005580000-0x0000000005A7E000-memory.dmpFilesize
5.0MB
-
memory/2696-131-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/2696-132-0x00000000061E0000-0x00000000061E1000-memory.dmpFilesize
4KB
-
memory/2696-135-0x0000000005580000-0x0000000005A7E000-memory.dmpFilesize
5.0MB