Analysis
-
max time kernel
138s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-12-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
SOA.exe
-
Size
693KB
-
MD5
d6264b641a92dc68f18a0b2ad6a8b7b7
-
SHA1
3810f6de85581a6e58e983f332044e36c9e19703
-
SHA256
cae83e99c0f43ff07b4ca8965f740e463378e3547323feb5331bb50f8c333873
-
SHA512
72d30018fc2996afe1b62f52dbd5053ed5ad44f4301ef4e24fca52fc7bb0adb0ec6060ae3692a2b2a5f34313f64b0e79f59e37f288d050010460bc1fa65c1dce
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.scsgroups.com - Port:
587 - Username:
[email protected] - Password:
Scs@looi1007
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/908-125-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/908-126-0x000000000043763E-mapping.dmp family_agenttesla behavioral2/memory/908-131-0x00000000050A0000-0x000000000559E000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA.exedescription pid process target process PID 3924 set thread context of 908 3924 SOA.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SOA.exeRegSvcs.exepid process 3924 SOA.exe 3924 SOA.exe 908 RegSvcs.exe 908 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SOA.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3924 SOA.exe Token: SeDebugPrivilege 908 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 908 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SOA.exedescription pid process target process PID 3924 wrote to memory of 908 3924 SOA.exe RegSvcs.exe PID 3924 wrote to memory of 908 3924 SOA.exe RegSvcs.exe PID 3924 wrote to memory of 908 3924 SOA.exe RegSvcs.exe PID 3924 wrote to memory of 908 3924 SOA.exe RegSvcs.exe PID 3924 wrote to memory of 908 3924 SOA.exe RegSvcs.exe PID 3924 wrote to memory of 908 3924 SOA.exe RegSvcs.exe PID 3924 wrote to memory of 908 3924 SOA.exe RegSvcs.exe PID 3924 wrote to memory of 908 3924 SOA.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/908-125-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/908-133-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/908-132-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/908-131-0x00000000050A0000-0x000000000559E000-memory.dmpFilesize
5.0MB
-
memory/908-126-0x000000000043763E-mapping.dmp
-
memory/3924-119-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/3924-122-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/3924-123-0x0000000006380000-0x0000000006381000-memory.dmpFilesize
4KB
-
memory/3924-124-0x00000000064C0000-0x0000000006559000-memory.dmpFilesize
612KB
-
memory/3924-121-0x0000000005870000-0x0000000005878000-memory.dmpFilesize
32KB
-
memory/3924-120-0x00000000056E0000-0x0000000005BDE000-memory.dmpFilesize
5.0MB
-
memory/3924-115-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/3924-118-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/3924-117-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB