Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:35
Static task
static1
Behavioral task
behavioral1
Sample
Images.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Images.exe
Resource
win10v2004-20220414-en
General
-
Target
Images.exe
-
Size
804KB
-
MD5
a4e259de56ca50059f7f23b788d50f0b
-
SHA1
e1368e3a6882ffe538563abb5fe8d043cf44cd8e
-
SHA256
9297d40e8a55c2bb0d833d2210859dbe1a3486503f47781ac46cbb96d842407d
-
SHA512
660bcf708d9e4c52bc3a28b8de51620884fbd0d0203f0ec4b8e3bbdaf9e21b9f737f207380d0f41eea69f0798bb43035e9d3d95b0b5c674868d8f95b97aba667
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dicera.com - Port:
587 - Username:
[email protected] - Password:
796147
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4440-134-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Images.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Images.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Images.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Images.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Images.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Images.exedescription pid process target process PID 1640 set thread context of 4440 1640 Images.exe Images.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Images.exepid process 4440 Images.exe 4440 Images.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Images.exedescription pid process Token: SeDebugPrivilege 4440 Images.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Images.exepid process 4440 Images.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Images.exedescription pid process target process PID 1640 wrote to memory of 2264 1640 Images.exe schtasks.exe PID 1640 wrote to memory of 2264 1640 Images.exe schtasks.exe PID 1640 wrote to memory of 2264 1640 Images.exe schtasks.exe PID 1640 wrote to memory of 4440 1640 Images.exe Images.exe PID 1640 wrote to memory of 4440 1640 Images.exe Images.exe PID 1640 wrote to memory of 4440 1640 Images.exe Images.exe PID 1640 wrote to memory of 4440 1640 Images.exe Images.exe PID 1640 wrote to memory of 4440 1640 Images.exe Images.exe PID 1640 wrote to memory of 4440 1640 Images.exe Images.exe PID 1640 wrote to memory of 4440 1640 Images.exe Images.exe PID 1640 wrote to memory of 4440 1640 Images.exe Images.exe -
outlook_office_path 1 IoCs
Processes:
Images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Images.exe -
outlook_win_path 1 IoCs
Processes:
Images.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Images.exe"C:\Users\Admin\AppData\Local\Temp\Images.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kDLFZdaeSvRT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Images.exe"C:\Users\Admin\AppData\Local\Temp\Images.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Images.exe.logFilesize
496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede
-
C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmpFilesize
1KB
MD5c8e3e8e10a99b6aec58bbec2ef37a68a
SHA1b9be42e3ce6509df2c85386d037e77f960ce7aec
SHA256e2c91fe6687c50ae9b8ac4a5cc3e8f87b0264fa912f3ac6f562c42c01f60e8b0
SHA512715b1c2ed6cc19b6781e83d9234d8cee70907a8f9561c8b6ce28035f6ba4ea6a5092efe096400a8fb87d586e85df8b2adc8a517eeebc1deb7091e497ce1ad73b
-
memory/1640-130-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/2264-131-0x0000000000000000-mapping.dmp
-
memory/4440-133-0x0000000000000000-mapping.dmp
-
memory/4440-134-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4440-136-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB