Overview

overview

10

Static

static

Images.exe

windows7_x64

10

Images.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Images.exe

  • Size

    804KB

  • MD5

    a4e259de56ca50059f7f23b788d50f0b

  • SHA1

    e1368e3a6882ffe538563abb5fe8d043cf44cd8e

  • SHA256

    9297d40e8a55c2bb0d833d2210859dbe1a3486503f47781ac46cbb96d842407d

  • SHA512

    660bcf708d9e4c52bc3a28b8de51620884fbd0d0203f0ec4b8e3bbdaf9e21b9f737f207380d0f41eea69f0798bb43035e9d3d95b0b5c674868d8f95b97aba667

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.dicera.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    796147

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Images.exe
    "C:\Users\Admin\AppData\Local\Temp\Images.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kDLFZdaeSvRT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2264
    • C:\Users\Admin\AppData\Local\Temp\Images.exe
      "C:\Users\Admin\AppData\Local\Temp\Images.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Images.exe.log
    Filesize

    496B

    MD5

    5b4789d01bb4d7483b71e1a35bce6a8b

    SHA1

    de083f2131c9a763c0d1810c97a38732146cffbf

    SHA256

    e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

    SHA512

    357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp
    Filesize

    1KB

    MD5

    c8e3e8e10a99b6aec58bbec2ef37a68a

    SHA1

    b9be42e3ce6509df2c85386d037e77f960ce7aec

    SHA256

    e2c91fe6687c50ae9b8ac4a5cc3e8f87b0264fa912f3ac6f562c42c01f60e8b0

    SHA512

    715b1c2ed6cc19b6781e83d9234d8cee70907a8f9561c8b6ce28035f6ba4ea6a5092efe096400a8fb87d586e85df8b2adc8a517eeebc1deb7091e497ce1ad73b

    Download Submit
  • memory/1640-130-0x0000000074E80000-0x0000000075431000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2264-131-0x0000000000000000-mapping.dmp
    Download
  • memory/4440-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4440-134-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB

    Download
  • memory/4440-136-0x0000000074E80000-0x0000000075431000-memory.dmp
    Filesize

    5.7MB

    Download