Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
30-11-2021 08:03
Static task
static1
Behavioral task
behavioral1
Sample
PICTURE DRAWING DESIGN.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
PICTURE DRAWING DESIGN.exe
Resource
win10-en-20211014
General
-
Target
PICTURE DRAWING DESIGN.exe
-
Size
986KB
-
MD5
bbc6caf6cfe3428798205216c2df85e1
-
SHA1
ac68d4c0eb019bb5586057d2deb2174af18ad45a
-
SHA256
eb869a427757689033110327cdcfbe5d406a47f60b3529b8903b0d00c1deb6e3
-
SHA512
51dfda000e6dbb2f142c09e129b6fd87884ef3b642d289d69e2ceeee57d95386f22372bfb18038225d7bf37d5521776d7f072a2af174e1cfeb27d1df2565707b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.schoolofspanish.co.za - Port:
587 - Username:
vds@schoolofspanish.co.za - Password:
%pJ@=BsZ?pQv
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1756-64-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1756-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1756-66-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1756-67-0x0000000000436DDE-mapping.dmp family_agenttesla behavioral1/memory/1756-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/692-58-0x0000000000B40000-0x0000000000B61000-memory.dmp agile_net -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PICTURE DRAWING DESIGN.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PICTURE DRAWING DESIGN.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PICTURE DRAWING DESIGN.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PICTURE DRAWING DESIGN.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PICTURE DRAWING DESIGN.exedescription pid process target process PID 692 set thread context of 1756 692 PICTURE DRAWING DESIGN.exe PICTURE DRAWING DESIGN.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PICTURE DRAWING DESIGN.exePICTURE DRAWING DESIGN.exepid process 692 PICTURE DRAWING DESIGN.exe 692 PICTURE DRAWING DESIGN.exe 1756 PICTURE DRAWING DESIGN.exe 1756 PICTURE DRAWING DESIGN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PICTURE DRAWING DESIGN.exePICTURE DRAWING DESIGN.exedescription pid process Token: SeDebugPrivilege 692 PICTURE DRAWING DESIGN.exe Token: SeDebugPrivilege 1756 PICTURE DRAWING DESIGN.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PICTURE DRAWING DESIGN.exepid process 1756 PICTURE DRAWING DESIGN.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PICTURE DRAWING DESIGN.exedescription pid process target process PID 692 wrote to memory of 1756 692 PICTURE DRAWING DESIGN.exe PICTURE DRAWING DESIGN.exe PID 692 wrote to memory of 1756 692 PICTURE DRAWING DESIGN.exe PICTURE DRAWING DESIGN.exe PID 692 wrote to memory of 1756 692 PICTURE DRAWING DESIGN.exe PICTURE DRAWING DESIGN.exe PID 692 wrote to memory of 1756 692 PICTURE DRAWING DESIGN.exe PICTURE DRAWING DESIGN.exe PID 692 wrote to memory of 1756 692 PICTURE DRAWING DESIGN.exe PICTURE DRAWING DESIGN.exe PID 692 wrote to memory of 1756 692 PICTURE DRAWING DESIGN.exe PICTURE DRAWING DESIGN.exe PID 692 wrote to memory of 1756 692 PICTURE DRAWING DESIGN.exe PICTURE DRAWING DESIGN.exe PID 692 wrote to memory of 1756 692 PICTURE DRAWING DESIGN.exe PICTURE DRAWING DESIGN.exe PID 692 wrote to memory of 1756 692 PICTURE DRAWING DESIGN.exe PICTURE DRAWING DESIGN.exe -
outlook_office_path 1 IoCs
Processes:
PICTURE DRAWING DESIGN.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PICTURE DRAWING DESIGN.exe -
outlook_win_path 1 IoCs
Processes:
PICTURE DRAWING DESIGN.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PICTURE DRAWING DESIGN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PICTURE DRAWING DESIGN.exe"C:\Users\Admin\AppData\Local\Temp\PICTURE DRAWING DESIGN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PICTURE DRAWING DESIGN.exe"C:\Users\Admin\AppData\Local\Temp\PICTURE DRAWING DESIGN.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/692-55-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/692-57-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/692-58-0x0000000000B40000-0x0000000000B61000-memory.dmpFilesize
132KB
-
memory/692-59-0x0000000004E91000-0x0000000004E92000-memory.dmpFilesize
4KB
-
memory/692-60-0x0000000000A40000-0x0000000000A4B000-memory.dmpFilesize
44KB
-
memory/692-61-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/1756-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1756-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1756-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1756-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1756-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1756-67-0x0000000000436DDE-mapping.dmp
-
memory/1756-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1756-70-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB