Analysis
-
max time kernel
93s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 11:57
Static task
static1
Behavioral task
behavioral1
Sample
20211020 Copy of Customer transfer.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
20211020 Copy of Customer transfer.exe
Resource
win10-en-20210920
General
-
Target
20211020 Copy of Customer transfer.exe
-
Size
518KB
-
MD5
8c8822a2a0b6329a010fa758ee7f3504
-
SHA1
387e696061c2cbd9c492e19dca1b5a427ef3eb82
-
SHA256
608662439f0e1f66bdaf62c1e0167a4e9d51c7aeabc8367b94c0f0b88daf2bb2
-
SHA512
cc7078dab3f65ecf176c8fd0d0e88971e935fdde1267eb2720b481f54e531ffc49d6fabb4f713c61acaab4571efc5ab7f559e61c10a5ee458f25f225dca20b0d
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3608-116-0x0000000000400000-0x000000000044B000-memory.dmp family_agenttesla behavioral2/memory/3608-117-0x000000000040188B-mapping.dmp family_agenttesla behavioral2/memory/3608-118-0x0000000000400000-0x000000000044B000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
20211020 Copy of Customer transfer.exepid process 1752 20211020 Copy of Customer transfer.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
20211020 Copy of Customer transfer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20211020 Copy of Customer transfer.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20211020 Copy of Customer transfer.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20211020 Copy of Customer transfer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
20211020 Copy of Customer transfer.exedescription pid process target process PID 1752 set thread context of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
20211020 Copy of Customer transfer.exepid process 3608 20211020 Copy of Customer transfer.exe 3608 20211020 Copy of Customer transfer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
20211020 Copy of Customer transfer.exedescription pid process Token: SeDebugPrivilege 3608 20211020 Copy of Customer transfer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
20211020 Copy of Customer transfer.exedescription pid process target process PID 1752 wrote to memory of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe PID 1752 wrote to memory of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe PID 1752 wrote to memory of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe PID 1752 wrote to memory of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe PID 1752 wrote to memory of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe PID 1752 wrote to memory of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe PID 1752 wrote to memory of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe PID 1752 wrote to memory of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe PID 1752 wrote to memory of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe PID 1752 wrote to memory of 3608 1752 20211020 Copy of Customer transfer.exe 20211020 Copy of Customer transfer.exe -
outlook_office_path 1 IoCs
Processes:
20211020 Copy of Customer transfer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20211020 Copy of Customer transfer.exe -
outlook_win_path 1 IoCs
Processes:
20211020 Copy of Customer transfer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20211020 Copy of Customer transfer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20211020 Copy of Customer transfer.exe"C:\Users\Admin\AppData\Local\Temp\20211020 Copy of Customer transfer.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20211020 Copy of Customer transfer.exe"C:\Users\Admin\AppData\Local\Temp\20211020 Copy of Customer transfer.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiE466.tmp\zsltqlmmr.dllMD5
b4ca995a4d74ca142bf15eb1db804e8c
SHA19f7dad03725c71a598359215d153a3906ede0e03
SHA2565ea65656cad334963949bd2ba8f8603090e6dbfc499cb7b802dd0e5a16197572
SHA51247b51f6c060369de1066d5ad1682620a602642a8d4290ff64857e8f614538a330f8155fb58577894e78dff7d0a33171cada2571cff1df600c4446d2bdcd6c389
-
memory/3608-116-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3608-117-0x000000000040188B-mapping.dmp
-
memory/3608-118-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3608-119-0x00000000021D0000-0x00000000021D1000-memory.dmpFilesize
4KB
-
memory/3608-120-0x00000000021D1000-0x00000000021D2000-memory.dmpFilesize
4KB
-
memory/3608-121-0x00000000021D2000-0x00000000021D4000-memory.dmpFilesize
8KB
-
memory/3608-123-0x00000000021D8000-0x00000000021D9000-memory.dmpFilesize
4KB
-
memory/3608-122-0x00000000021D7000-0x00000000021D8000-memory.dmpFilesize
4KB
-
memory/3608-124-0x00000000021DD000-0x00000000021DF000-memory.dmpFilesize
8KB