Analysis
-
max time kernel
144s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:37
Static task
static1
Behavioral task
behavioral1
Sample
Pagamento INV.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Pagamento INV.exe
Resource
win10v2004-20220414-en
General
-
Target
Pagamento INV.exe
-
Size
661KB
-
MD5
7f0c1a8e0abb6ddfd6488e1062256844
-
SHA1
5c038239c533d9b6151ee1c46872de37389094b6
-
SHA256
32e87ba877bda7e78b9d5c772d7e5a420c375db21b48a0de7275b5311f58aa92
-
SHA512
512fe65740126b56e75abb3bfb09a42e21aa90357898a08476126b25e9200db1b082c0dd5e6cf8a08f2b2676c140b52ddcbe900ade6fee46c9cf2912ca83adf1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
vikash12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1908-64-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/1908-65-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/1908-66-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/1908-67-0x000000000046154E-mapping.dmp family_agenttesla behavioral1/memory/1908-69-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/1908-71-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Pagamento INV.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Pagamento INV.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Pagamento INV.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Pagamento INV.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Pagamento INV.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe" Pagamento INV.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Pagamento INV.exedescription pid process target process PID 960 set thread context of 1908 960 Pagamento INV.exe Pagamento INV.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Pagamento INV.exePagamento INV.exepid process 960 Pagamento INV.exe 960 Pagamento INV.exe 1908 Pagamento INV.exe 1908 Pagamento INV.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Pagamento INV.exepid process 1908 Pagamento INV.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Pagamento INV.exePagamento INV.exedescription pid process Token: SeDebugPrivilege 960 Pagamento INV.exe Token: SeDebugPrivilege 1908 Pagamento INV.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Pagamento INV.exedescription pid process target process PID 960 wrote to memory of 1884 960 Pagamento INV.exe schtasks.exe PID 960 wrote to memory of 1884 960 Pagamento INV.exe schtasks.exe PID 960 wrote to memory of 1884 960 Pagamento INV.exe schtasks.exe PID 960 wrote to memory of 1884 960 Pagamento INV.exe schtasks.exe PID 960 wrote to memory of 1396 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1396 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1396 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1396 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1692 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1692 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1692 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1692 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1908 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1908 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1908 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1908 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1908 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1908 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1908 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1908 960 Pagamento INV.exe Pagamento INV.exe PID 960 wrote to memory of 1908 960 Pagamento INV.exe Pagamento INV.exe -
outlook_office_path 1 IoCs
Processes:
Pagamento INV.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Pagamento INV.exe -
outlook_win_path 1 IoCs
Processes:
Pagamento INV.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Pagamento INV.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pagamento INV.exe"C:\Users\Admin\AppData\Local\Temp\Pagamento INV.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCULXhTBW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E9E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Pagamento INV.exe"C:\Users\Admin\AppData\Local\Temp\Pagamento INV.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Pagamento INV.exe"C:\Users\Admin\AppData\Local\Temp\Pagamento INV.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Pagamento INV.exe"C:\Users\Admin\AppData\Local\Temp\Pagamento INV.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4E9E.tmpFilesize
1KB
MD5d74a17cf8db928178e2a13c25927eedb
SHA1e88cba55abbcde6b13e46e90fef0cf0d556ac7f2
SHA256ab9f42794c45ae239d1a582df063785245dd512bfe11a600cd1a4489550930e5
SHA512c698a13daf9bf49d809ff90fe28a177d3bd2de5780105aeb662078a620a0d2e47b02b3a99aa2f5e542cb39cba2756bea76632fff2510bed94669641270ce2fdf
-
memory/960-57-0x0000000005150000-0x00000000051F4000-memory.dmpFilesize
656KB
-
memory/960-56-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB
-
memory/960-54-0x0000000001390000-0x000000000143C000-memory.dmpFilesize
688KB
-
memory/960-58-0x0000000004EE0000-0x0000000004F56000-memory.dmpFilesize
472KB
-
memory/960-55-0x0000000074DC1000-0x0000000074DC3000-memory.dmpFilesize
8KB
-
memory/1884-59-0x0000000000000000-mapping.dmp
-
memory/1908-62-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1908-61-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1908-64-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1908-65-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1908-66-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1908-67-0x000000000046154E-mapping.dmp
-
memory/1908-69-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1908-71-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB