Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 17:05
Static task
static1
Behavioral task
behavioral1
Sample
001-Payment Copy_jpg.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
001-Payment Copy_jpg.exe
Resource
win10-en-20210920
General
-
Target
001-Payment Copy_jpg.exe
-
Size
138KB
-
MD5
e38c39929d384898ca31dce2025a5a5d
-
SHA1
d6cbaa65c555d812c8bb4fbd6b3cd96194c19e9d
-
SHA256
071c2735b8c6d74c6a792f526a51c9cf33b736af9d5cb392ae36ed2d636b777c
-
SHA512
bbc9accf729faf4553568b45414fc7d6f0939d57effa6b2b310a20c64bf1ea884090bfeeccc2fb851e50c83b82fa23bf2ff92422ed675575ad6d475742df26cf
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.tccinfaes.com - Port:
587 - Username:
margaridasantos@tccinfaes.com - Password:
TccBps1427log
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4080-121-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/4080-122-0x000000000043763E-mapping.dmp family_agenttesla behavioral2/memory/4080-127-0x0000000004DF0000-0x00000000052EE000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
001-Payment Copy_jpg.exedescription pid process target process PID 768 set thread context of 4080 768 001-Payment Copy_jpg.exe Aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Aspnet_compiler.exepid process 4080 Aspnet_compiler.exe 4080 Aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
001-Payment Copy_jpg.exeAspnet_compiler.exedescription pid process Token: SeDebugPrivilege 768 001-Payment Copy_jpg.exe Token: SeDebugPrivilege 4080 Aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
001-Payment Copy_jpg.exedescription pid process target process PID 768 wrote to memory of 4080 768 001-Payment Copy_jpg.exe Aspnet_compiler.exe PID 768 wrote to memory of 4080 768 001-Payment Copy_jpg.exe Aspnet_compiler.exe PID 768 wrote to memory of 4080 768 001-Payment Copy_jpg.exe Aspnet_compiler.exe PID 768 wrote to memory of 4080 768 001-Payment Copy_jpg.exe Aspnet_compiler.exe PID 768 wrote to memory of 4080 768 001-Payment Copy_jpg.exe Aspnet_compiler.exe PID 768 wrote to memory of 4080 768 001-Payment Copy_jpg.exe Aspnet_compiler.exe PID 768 wrote to memory of 4080 768 001-Payment Copy_jpg.exe Aspnet_compiler.exe PID 768 wrote to memory of 4080 768 001-Payment Copy_jpg.exe Aspnet_compiler.exe -
outlook_office_path 1 IoCs
Processes:
Aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Aspnet_compiler.exe -
outlook_win_path 1 IoCs
Processes:
Aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\001-Payment Copy_jpg.exe"C:\Users\Admin\AppData\Local\Temp\001-Payment Copy_jpg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/768-115-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/768-117-0x0000000001550000-0x0000000001552000-memory.dmpFilesize
8KB
-
memory/768-118-0x000000001B9D0000-0x000000001B9D2000-memory.dmpFilesize
8KB
-
memory/768-119-0x000000001B9C0000-0x000000001B9C8000-memory.dmpFilesize
32KB
-
memory/768-120-0x000000001C210000-0x000000001C212000-memory.dmpFilesize
8KB
-
memory/4080-121-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4080-122-0x000000000043763E-mapping.dmp
-
memory/4080-125-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/4080-126-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/4080-127-0x0000000004DF0000-0x00000000052EE000-memory.dmpFilesize
5.0MB
-
memory/4080-128-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/4080-129-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/4080-130-0x0000000005FE0000-0x0000000005FE1000-memory.dmpFilesize
4KB
-
memory/4080-131-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB