Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 13:08
Static task
static1
Behavioral task
behavioral1
Sample
USD 58,508.80.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
USD 58,508.80.exe
Resource
win10-en-20211014
General
-
Target
USD 58,508.80.exe
-
Size
430KB
-
MD5
99c99ae716fba538d8685f2e9d5f9be5
-
SHA1
4aac17819f8dc6a9435481fda825936c47aeb489
-
SHA256
9dc6644b59a4c37995b0c017256d938e03f6dc26a7b2cfee9f6eac92d8457dc6
-
SHA512
aafd92aae54543999bc54cc9f3ab1126a52c5d91e4bbca17c9bf07d36132c84c1b76e945d1ce3ccd5dcecb1d187a225ed85423ab0338ccbc7dc016a9ed1e6750
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2220-116-0x0000000000400000-0x000000000044B000-memory.dmp family_agenttesla behavioral2/memory/2220-117-0x000000000040188B-mapping.dmp family_agenttesla behavioral2/memory/2220-118-0x0000000000400000-0x000000000044B000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
USD 58,508.80.exepid process 2696 USD 58,508.80.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
USD 58,508.80.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 USD 58,508.80.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 USD 58,508.80.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 USD 58,508.80.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
USD 58,508.80.exedescription pid process target process PID 2696 set thread context of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
USD 58,508.80.exepid process 2220 USD 58,508.80.exe 2220 USD 58,508.80.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
USD 58,508.80.exedescription pid process Token: SeDebugPrivilege 2220 USD 58,508.80.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
USD 58,508.80.exedescription pid process target process PID 2696 wrote to memory of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe PID 2696 wrote to memory of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe PID 2696 wrote to memory of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe PID 2696 wrote to memory of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe PID 2696 wrote to memory of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe PID 2696 wrote to memory of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe PID 2696 wrote to memory of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe PID 2696 wrote to memory of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe PID 2696 wrote to memory of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe PID 2696 wrote to memory of 2220 2696 USD 58,508.80.exe USD 58,508.80.exe -
outlook_office_path 1 IoCs
Processes:
USD 58,508.80.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 USD 58,508.80.exe -
outlook_win_path 1 IoCs
Processes:
USD 58,508.80.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 USD 58,508.80.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\USD 58,508.80.exe"C:\Users\Admin\AppData\Local\Temp\USD 58,508.80.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\USD 58,508.80.exe"C:\Users\Admin\AppData\Local\Temp\USD 58,508.80.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiCC3B.tmp\woskyvpzx.dllMD5
dd4ff4b24f8b39951e3946a5282b7ed0
SHA1d4d1015d01326ba4526fcff52e4c9bbb271d951e
SHA256f880d09a6f9bc64f974844f92fa9bb764dc2613342fde134d8c037a2267506bc
SHA5126e822b523f15948a42b1d2703525c8f3744fbb6a7e3aff99345908822fbd65dafe38d6972976211f9558c712d65be1c1a42bb9dabb63fb4576c409ce95e93528
-
memory/2220-116-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2220-117-0x000000000040188B-mapping.dmp
-
memory/2220-118-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2220-120-0x0000000002261000-0x0000000002262000-memory.dmpFilesize
4KB
-
memory/2220-119-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/2220-121-0x0000000002262000-0x0000000002264000-memory.dmpFilesize
8KB
-
memory/2220-122-0x0000000002267000-0x0000000002268000-memory.dmpFilesize
4KB
-
memory/2220-123-0x0000000002268000-0x0000000002269000-memory.dmpFilesize
4KB
-
memory/2220-124-0x000000000226D000-0x000000000226F000-memory.dmpFilesize
8KB