Analysis
-
max time kernel
86s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:50
Static task
static1
Behavioral task
behavioral1
Sample
Contract form C2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Contract form C2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Payment Bid Reference.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Payment Bid Reference.exe
Resource
win10v2004-20220414-en
General
-
Target
Contract form C2.exe
-
Size
1.1MB
-
MD5
61cd9cf4bdb92c7b87610c6ca3bbb9f2
-
SHA1
98eb1b85c2f5a4df9d964089b7ef73e11ab299cb
-
SHA256
5e5d665f261aacccd45ce0cdeb9c09190918eca48adf692919446bf5a2b8b2ba
-
SHA512
f197d5cf146577569657b919c259ebcbf5779e4e7946101a720cd7929833b17b472008b175ddd553fc6f302c3d5f268a31ee1fc0669f5dbf127cb10ab345093f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mapi.diplemailsrvr.com - Port:
587 - Username:
[email protected] - Password:
Banachi@1974
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/820-58-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Contract form C2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YSNjC = "C:\\TBHNEBSE\\YSNjCU\\rCWFOTwkK.vbs" Contract form C2.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Contract form C2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Contract form C2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Contract form C2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Contract form C2.exedescription pid process target process PID 1664 set thread context of 820 1664 Contract form C2.exe InstallUtil.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
InstallUtil.exepid process 820 InstallUtil.exe 820 InstallUtil.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Contract form C2.exepid process 1664 Contract form C2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 820 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid process 820 InstallUtil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Contract form C2.exeInstallUtil.exedescription pid process target process PID 1664 wrote to memory of 820 1664 Contract form C2.exe InstallUtil.exe PID 1664 wrote to memory of 820 1664 Contract form C2.exe InstallUtil.exe PID 1664 wrote to memory of 820 1664 Contract form C2.exe InstallUtil.exe PID 1664 wrote to memory of 820 1664 Contract form C2.exe InstallUtil.exe PID 1664 wrote to memory of 820 1664 Contract form C2.exe InstallUtil.exe PID 1664 wrote to memory of 820 1664 Contract form C2.exe InstallUtil.exe PID 1664 wrote to memory of 820 1664 Contract form C2.exe InstallUtil.exe PID 1664 wrote to memory of 820 1664 Contract form C2.exe InstallUtil.exe PID 820 wrote to memory of 888 820 InstallUtil.exe REG.exe PID 820 wrote to memory of 888 820 InstallUtil.exe REG.exe PID 820 wrote to memory of 888 820 InstallUtil.exe REG.exe PID 820 wrote to memory of 888 820 InstallUtil.exe REG.exe PID 820 wrote to memory of 1884 820 InstallUtil.exe netsh.exe PID 820 wrote to memory of 1884 820 InstallUtil.exe netsh.exe PID 820 wrote to memory of 1884 820 InstallUtil.exe netsh.exe PID 820 wrote to memory of 1884 820 InstallUtil.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Contract form C2.exe"C:\Users\Admin\AppData\Local\Temp\Contract form C2.exe"1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/820-56-0x000000000044A9FE-mapping.dmp
-
memory/820-58-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/820-59-0x00000000753C1000-0x00000000753C3000-memory.dmpFilesize
8KB
-
memory/888-60-0x0000000000000000-mapping.dmp
-
memory/1664-54-0x0000000000E40000-0x0000000000F64000-memory.dmpFilesize
1.1MB
-
memory/1664-55-0x0000000000550000-0x00000000005CC000-memory.dmpFilesize
496KB
-
memory/1664-57-0x0000000000270000-0x0000000000273000-memory.dmpFilesize
12KB
-
memory/1884-61-0x0000000000000000-mapping.dmp