Overview

overview

10

Static

static

PaymentCon...on.exe

windows7_x64

10

PaymentCon...on.exe

windows10_x64

10

Analysis

  • max time kernel
    4294209s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    21-03-2022 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PaymentConfirmation.exe

  • Size

    29KB

  • MD5

    1c819edc4def5670ad7e2f7facceda93

  • SHA1

    4882d04f0b0cc6b1cc3aed86d49c724b9209c777

  • SHA256

    8143ce440d081fbd4fdb3c1dca4baa8aeaff53a350a41dd8ebe3eb51e8bd2483

  • SHA512

    12333acc054929aad86132c617e90a26166ad00dc955ecf37c37d04d530fdd866daec288ca0dce51da93a918681b2799c8d95f1873a9ef10024f24bc396d0e84

Score
10/10
agentteslananocoreevasionkeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    shoresedge.co.za
  • Port:
    587
  • Username:
    bookings@shoresedge.co.za
  • Password:
    woz]p3pgIg&W
  • Email To:
    easiacess5@gmail.com

Extracted

Family

nanocore

Version

1.2.2.0

C2

sannation.duckdns.org:2180

Mutex

04c62d04-0ba2-4935-b680-1eb56df154c3

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    sannation.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-12-31T05:30:02.915038836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2180

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    04c62d04-0ba2-4935-b680-1eb56df154c3

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sannation.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • suricata: ET MALWARE Possible NanoCore C2 60B

    suricata: ET MALWARE Possible NanoCore C2 60B

    suricata
  • AgentTesla Payload 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PaymentConfirmation.exe
    "C:\Users\Admin\AppData\Local\Temp\PaymentConfirmation.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 10
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\timeout.exe
        timeout 10
        3⤵
        • Delays execution with timeout.exe
        PID:1788
    • C:\Users\Admin\AppData\Local\Temp\Witdmaqzywrpbrahnytnew origin bin.exe
      "C:\Users\Admin\AppData\Local\Temp\Witdmaqzywrpbrahnytnew origin bin.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1008
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:640
    • C:\Users\Admin\AppData\Local\Temp\PaymentConfirmation.exe
      C:\Users\Admin\AppData\Local\Temp\PaymentConfirmation.exe purecrypter.exe
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Witdmaqzywrpbrahnytnew origin bin.exe
    MD5

    4a27672e4061a5998824886505f4e020

    SHA1

    0126388ce02700f859fbade41302226c01d6da41

    SHA256

    43daf586434a7a967a3ab7d8516c76666a6eeba6c1761cea70187e2a2e4513af

    SHA512

    e21d6645e8654d5b85ebb04a2ed174915313e3d7e33b63c5d3fa9164483b9cf3b505e603d6d4788287c15181fd60d6cbfd1fecaa8bd2bd9b9c45c2367ce6d8b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Witdmaqzywrpbrahnytnew origin bin.exe
    MD5

    4a27672e4061a5998824886505f4e020

    SHA1

    0126388ce02700f859fbade41302226c01d6da41

    SHA256

    43daf586434a7a967a3ab7d8516c76666a6eeba6c1761cea70187e2a2e4513af

    SHA512

    e21d6645e8654d5b85ebb04a2ed174915313e3d7e33b63c5d3fa9164483b9cf3b505e603d6d4788287c15181fd60d6cbfd1fecaa8bd2bd9b9c45c2367ce6d8b0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Witdmaqzywrpbrahnytnew origin bin.exe
    MD5

    4a27672e4061a5998824886505f4e020

    SHA1

    0126388ce02700f859fbade41302226c01d6da41

    SHA256

    43daf586434a7a967a3ab7d8516c76666a6eeba6c1761cea70187e2a2e4513af

    SHA512

    e21d6645e8654d5b85ebb04a2ed174915313e3d7e33b63c5d3fa9164483b9cf3b505e603d6d4788287c15181fd60d6cbfd1fecaa8bd2bd9b9c45c2367ce6d8b0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Witdmaqzywrpbrahnytnew origin bin.exe
    MD5

    4a27672e4061a5998824886505f4e020

    SHA1

    0126388ce02700f859fbade41302226c01d6da41

    SHA256

    43daf586434a7a967a3ab7d8516c76666a6eeba6c1761cea70187e2a2e4513af

    SHA512

    e21d6645e8654d5b85ebb04a2ed174915313e3d7e33b63c5d3fa9164483b9cf3b505e603d6d4788287c15181fd60d6cbfd1fecaa8bd2bd9b9c45c2367ce6d8b0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Witdmaqzywrpbrahnytnew origin bin.exe
    MD5

    4a27672e4061a5998824886505f4e020

    SHA1

    0126388ce02700f859fbade41302226c01d6da41

    SHA256

    43daf586434a7a967a3ab7d8516c76666a6eeba6c1761cea70187e2a2e4513af

    SHA512

    e21d6645e8654d5b85ebb04a2ed174915313e3d7e33b63c5d3fa9164483b9cf3b505e603d6d4788287c15181fd60d6cbfd1fecaa8bd2bd9b9c45c2367ce6d8b0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Witdmaqzywrpbrahnytnew origin bin.exe
    MD5

    4a27672e4061a5998824886505f4e020

    SHA1

    0126388ce02700f859fbade41302226c01d6da41

    SHA256

    43daf586434a7a967a3ab7d8516c76666a6eeba6c1761cea70187e2a2e4513af

    SHA512

    e21d6645e8654d5b85ebb04a2ed174915313e3d7e33b63c5d3fa9164483b9cf3b505e603d6d4788287c15181fd60d6cbfd1fecaa8bd2bd9b9c45c2367ce6d8b0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Witdmaqzywrpbrahnytnew origin bin.exe
    MD5

    4a27672e4061a5998824886505f4e020

    SHA1

    0126388ce02700f859fbade41302226c01d6da41

    SHA256

    43daf586434a7a967a3ab7d8516c76666a6eeba6c1761cea70187e2a2e4513af

    SHA512

    e21d6645e8654d5b85ebb04a2ed174915313e3d7e33b63c5d3fa9164483b9cf3b505e603d6d4788287c15181fd60d6cbfd1fecaa8bd2bd9b9c45c2367ce6d8b0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Witdmaqzywrpbrahnytnew origin bin.exe
    MD5

    4a27672e4061a5998824886505f4e020

    SHA1

    0126388ce02700f859fbade41302226c01d6da41

    SHA256

    43daf586434a7a967a3ab7d8516c76666a6eeba6c1761cea70187e2a2e4513af

    SHA512

    e21d6645e8654d5b85ebb04a2ed174915313e3d7e33b63c5d3fa9164483b9cf3b505e603d6d4788287c15181fd60d6cbfd1fecaa8bd2bd9b9c45c2367ce6d8b0

    Download Submit
  • memory/1112-68-0x0000000004790000-0x0000000004791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1112-67-0x0000000073F50000-0x000000007463E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1112-66-0x0000000000980000-0x00000000009BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1580-84-0x00000000003F0000-0x00000000003FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1580-82-0x00000000003E0000-0x00000000003EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1580-85-0x0000000073F50000-0x000000007463E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1580-86-0x0000000004D10000-0x0000000004D11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1580-69-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1580-71-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1580-73-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1580-75-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1580-77-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1580-79-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1580-81-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1580-83-0x0000000000570000-0x000000000058E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1832-62-0x0000000005390000-0x00000000053DC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1832-54-0x0000000000140000-0x000000000014C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1832-60-0x0000000000640000-0x0000000000692000-memory.dmp
    Filesize

    328KB

    Download
  • memory/1832-61-0x0000000005300000-0x0000000005352000-memory.dmp
    Filesize

    328KB

    Download
  • memory/1832-59-0x0000000000810000-0x0000000000866000-memory.dmp
    Filesize

    344KB

    Download
  • memory/1832-58-0x0000000005900000-0x00000000059B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/1832-57-0x0000000004410000-0x0000000004411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-56-0x0000000073F50000-0x000000007463E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1832-55-0x0000000075E61000-0x0000000075E63000-memory.dmp
    Filesize

    8KB

    Download