Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
22-10-2021 03:17
General
-
Target
PROFORMA COPY.exe
-
Size
338KB
-
MD5
5936715a6a40ec84592e71ccfdfc1daa
-
SHA1
380440d5690a8ed799138022a7b7678c0323c2bb
-
SHA256
3509582c5fa8e6a4cc257c72e67eec511a90790a60185bce44303fc2c39be80c
-
SHA512
d6610529fd75087bee83fc33cbc57ba1ae1ce81ab4c8e98e57b1d0b7b489cc6116db3bc6c58bc5b9c8a906d41da05305a77d90db989f0e375006fb9c42de032b
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA COPY.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA COPY.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA COPY.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA COPY.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsbBA2A.tmp\kivlxw.dllMD5
575dc70fae96e23a93aef3ebfdfb525b
SHA17589bbf471165323d4c0e92b8be101d95cbbeb2f
SHA256bc3cc067575a5ec3bd8fb5d1329b6f32586fd09f038fc5fafac92c2da081711e
SHA512e385b8286ffeab6252e6b99a1434b9c7526edf128e6558718add8edf0b60e24a9fc82aee34986fb517907ac966dbe7847d0115b53357f49d43c46acd1dc0a334
-
memory/2424-117-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2424-118-0x000000000040188B-mapping.dmp
-
memory/2424-120-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/2424-119-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2424-122-0x00000000023E2000-0x00000000023E4000-memory.dmpFilesize
8KB
-
memory/2424-121-0x00000000023E1000-0x00000000023E2000-memory.dmpFilesize
4KB
-
memory/2424-123-0x00000000023E7000-0x00000000023E8000-memory.dmpFilesize
4KB
-
memory/2424-124-0x00000000023E8000-0x00000000023E9000-memory.dmpFilesize
4KB
-
memory/2424-125-0x00000000023ED000-0x00000000023EF000-memory.dmpFilesize
8KB