Analysis
-
max time kernel
115s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:18
Static task
static1
Behavioral task
behavioral1
Sample
Invoices.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoices.scr
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Payment Copy.scr
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Payment Copy.scr
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Pictures.scr
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Pictures.scr
Resource
win10v2004-20220414-en
General
-
Target
Pictures.scr
-
Size
614KB
-
MD5
0548042de08d966daf12706ecef02860
-
SHA1
2551f1cf8b224368ebbfaa02e39ad360c9693658
-
SHA256
1e7474f09fbb2601bdc6f5e77ec90a9db99115e8392ba1629349f9b59f54d272
-
SHA512
e0c1f998eb363454bd11dae8376b77ed373004078f61e0f8bf81baae01a5d08608290ead31236506aceacba60fa51456c49ac702bceea93f2cf14edd73931fb7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
z123456789ok
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral6/memory/3760-142-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Pictures.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Pictures.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Pictures.scr -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Pictures.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Pictures.scr -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Pictures.scrdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Pictures.scr Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Pictures.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Pictures.scrdescription pid process target process PID 4288 set thread context of 3760 4288 Pictures.scr MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Pictures.scrMSBuild.exepid process 4288 Pictures.scr 4288 Pictures.scr 4288 Pictures.scr 3760 MSBuild.exe 3760 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Pictures.scrMSBuild.exedescription pid process Token: SeDebugPrivilege 4288 Pictures.scr Token: SeDebugPrivilege 3760 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 3760 MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Pictures.scrdescription pid process target process PID 4288 wrote to memory of 4036 4288 Pictures.scr schtasks.exe PID 4288 wrote to memory of 4036 4288 Pictures.scr schtasks.exe PID 4288 wrote to memory of 4036 4288 Pictures.scr schtasks.exe PID 4288 wrote to memory of 4964 4288 Pictures.scr MSBuild.exe PID 4288 wrote to memory of 4964 4288 Pictures.scr MSBuild.exe PID 4288 wrote to memory of 4964 4288 Pictures.scr MSBuild.exe PID 4288 wrote to memory of 3760 4288 Pictures.scr MSBuild.exe PID 4288 wrote to memory of 3760 4288 Pictures.scr MSBuild.exe PID 4288 wrote to memory of 3760 4288 Pictures.scr MSBuild.exe PID 4288 wrote to memory of 3760 4288 Pictures.scr MSBuild.exe PID 4288 wrote to memory of 3760 4288 Pictures.scr MSBuild.exe PID 4288 wrote to memory of 3760 4288 Pictures.scr MSBuild.exe PID 4288 wrote to memory of 3760 4288 Pictures.scr MSBuild.exe PID 4288 wrote to memory of 3760 4288 Pictures.scr MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pictures.scr"C:\Users\Admin\AppData\Local\Temp\Pictures.scr" /S1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hydlmGyJywexkm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD47.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAD47.tmpFilesize
1KB
MD57f980b8a5873762fa30d9125157ea784
SHA1c9fb0a7667532c0625763ed7e2c4deeb469e9669
SHA256ed21a104bbb317ba08ce45ecdafb88be6e9db724c6f69c94412dde058f06eb45
SHA512799e67022fa1996b2fb562ad3ada99e1d5db7069e0865dc8c4033092bb8b051c1ffee21b542372f9b764ff32567b3337e1cfbeebbef028cf4a1d094c4753f615
-
memory/3760-143-0x00000000067B0000-0x0000000006800000-memory.dmpFilesize
320KB
-
memory/3760-142-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3760-141-0x0000000000000000-mapping.dmp
-
memory/4036-138-0x0000000000000000-mapping.dmp
-
memory/4288-133-0x00000000050E0000-0x0000000005172000-memory.dmpFilesize
584KB
-
memory/4288-136-0x0000000005400000-0x0000000005466000-memory.dmpFilesize
408KB
-
memory/4288-137-0x0000000000EE0000-0x0000000000F46000-memory.dmpFilesize
408KB
-
memory/4288-135-0x0000000005200000-0x0000000005256000-memory.dmpFilesize
344KB
-
memory/4288-134-0x0000000005020000-0x000000000502A000-memory.dmpFilesize
40KB
-
memory/4288-130-0x00000000005F0000-0x000000000068E000-memory.dmpFilesize
632KB
-
memory/4288-132-0x0000000005750000-0x0000000005CF4000-memory.dmpFilesize
5.6MB
-
memory/4288-131-0x0000000005040000-0x00000000050DC000-memory.dmpFilesize
624KB
-
memory/4964-140-0x0000000000000000-mapping.dmp