Overview

overview

10

Static

static

Purchase O...TK.exe

windows7_x64

10

Purchase O...TK.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-01-2022 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order PO20211027STK.exe

  • Size

    127KB

  • MD5

    2f2102ec5776497950e89e419515efee

  • SHA1

    1d3dd4ed88af22c3de29c918b37db6f0b73c94c4

  • SHA256

    7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347

  • SHA512

    963b79cb63703ea6a6e8d70bbe76fadc660e10b801283a3812a76f773ee36210171437794dad0b4ee11e8a2f34645c88c7463526be03274ffdf48ec81823032a

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.construccionsjpallas.com
  • Port:
    587
  • Username:
    qualitat@construccionsjpallas.com
  • Password:
    zXHR1YDJL5

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • AgentTesla Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order PO20211027STK.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order PO20211027STK.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Users\Admin\AppData\Local\Temp\SPORENE.exe
      C:\Users\Admin\AppData\Local\Temp\SPORENE.exe
      2⤵
      • Executes dropped EXE
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        C:\Users\Admin\AppData\Local\Temp\SPORENE.exe
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SPORENE.exe
    MD5

    582a642df36cdac38982e4842f370b44

    SHA1

    3dd6d0cecd4cd9414d7df148f7c46548c5709d62

    SHA256

    361deddf3e436753730dbb20842fbd6d1ef2ec27c56cd9da99e87751c3bbe890

    SHA512

    e9c94417acef2b33ded79182c8b397e2693a74d290e78e286ae7576c998bf14f39f370c06bc40c9dffdf2de2e7f680aa0f33d74db508e15eeaf1d31be8d06bb6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SPORENE.exe
    MD5

    582a642df36cdac38982e4842f370b44

    SHA1

    3dd6d0cecd4cd9414d7df148f7c46548c5709d62

    SHA256

    361deddf3e436753730dbb20842fbd6d1ef2ec27c56cd9da99e87751c3bbe890

    SHA512

    e9c94417acef2b33ded79182c8b397e2693a74d290e78e286ae7576c998bf14f39f370c06bc40c9dffdf2de2e7f680aa0f33d74db508e15eeaf1d31be8d06bb6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SPORENE.exe
    MD5

    582a642df36cdac38982e4842f370b44

    SHA1

    3dd6d0cecd4cd9414d7df148f7c46548c5709d62

    SHA256

    361deddf3e436753730dbb20842fbd6d1ef2ec27c56cd9da99e87751c3bbe890

    SHA512

    e9c94417acef2b33ded79182c8b397e2693a74d290e78e286ae7576c998bf14f39f370c06bc40c9dffdf2de2e7f680aa0f33d74db508e15eeaf1d31be8d06bb6

    Download Submit
  • memory/564-64-0x0000000077140000-0x00000000772C0000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/564-60-0x00000000019F0000-0x0000000001A09000-memory.dmp
    Filesize

    100KB

    Download
  • memory/564-63-0x0000000076F60000-0x0000000077109000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/564-66-0x0000000077140000-0x00000000772C0000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/764-67-0x0000000000250000-0x0000000000350000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/764-70-0x0000000076F60000-0x0000000077109000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/764-71-0x0000000000400000-0x0000000000553000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/764-72-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/764-73-0x0000000020370000-0x0000000020371000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1144-54-0x0000000074F01000-0x0000000074F03000-memory.dmp
    Filesize

    8KB

    Download