Overview

overview

10

Static

static

1

PROFORMA COPY.exe

windows7_x64

10

PROFORMA COPY.exe

windows10_x64

10

Analysis

  • max time kernel
    116s
  • max time network
    101s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    22-10-2021 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PROFORMA COPY.exe

  • Size

    338KB

  • MD5

    5936715a6a40ec84592e71ccfdfc1daa

  • SHA1

    380440d5690a8ed799138022a7b7678c0323c2bb

  • SHA256

    3509582c5fa8e6a4cc257c72e67eec511a90790a60185bce44303fc2c39be80c

  • SHA512

    d6610529fd75087bee83fc33cbc57ba1ae1ce81ab4c8e98e57b1d0b7b489cc6116db3bc6c58bc5b9c8a906d41da05305a77d90db989f0e375006fb9c42de032b

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PROFORMA COPY.exe
    "C:\Users\Admin\AppData\Local\Temp\PROFORMA COPY.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:368
    • C:\Users\Admin\AppData\Local\Temp\PROFORMA COPY.exe
      "C:\Users\Admin\AppData\Local\Temp\PROFORMA COPY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 508
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsi2EFD.tmp\kivlxw.dll
    MD5

    575dc70fae96e23a93aef3ebfdfb525b

    SHA1

    7589bbf471165323d4c0e92b8be101d95cbbeb2f

    SHA256

    bc3cc067575a5ec3bd8fb5d1329b6f32586fd09f038fc5fafac92c2da081711e

    SHA512

    e385b8286ffeab6252e6b99a1434b9c7526edf128e6558718add8edf0b60e24a9fc82aee34986fb517907ac966dbe7847d0115b53357f49d43c46acd1dc0a334

    Download Submit
  • memory/368-54-0x00000000765A1000-0x00000000765A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/704-56-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/704-57-0x000000000040188B-mapping.dmp
    Download
  • memory/704-59-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/704-61-0x0000000000321000-0x0000000000322000-memory.dmp
    Filesize

    4KB

    Download
  • memory/704-60-0x0000000000320000-0x0000000000321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/704-63-0x0000000000327000-0x0000000000328000-memory.dmp
    Filesize

    4KB

    Download
  • memory/704-62-0x0000000000322000-0x0000000000324000-memory.dmp
    Filesize

    8KB

    Download
  • memory/704-64-0x0000000000328000-0x0000000000329000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-65-0x0000000000000000-mapping.dmp
    Download
  • memory/852-67-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
    Filesize

    4KB

    Download