Analysis
-
max time kernel
114s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:50
Static task
static1
Behavioral task
behavioral1
Sample
Contract form C2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Contract form C2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Payment Bid Reference.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Payment Bid Reference.exe
Resource
win10v2004-20220414-en
General
-
Target
Contract form C2.exe
-
Size
1.1MB
-
MD5
61cd9cf4bdb92c7b87610c6ca3bbb9f2
-
SHA1
98eb1b85c2f5a4df9d964089b7ef73e11ab299cb
-
SHA256
5e5d665f261aacccd45ce0cdeb9c09190918eca48adf692919446bf5a2b8b2ba
-
SHA512
f197d5cf146577569657b919c259ebcbf5779e4e7946101a720cd7929833b17b472008b175ddd553fc6f302c3d5f268a31ee1fc0669f5dbf127cb10ab345093f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mapi.diplemailsrvr.com - Port:
587 - Username:
[email protected] - Password:
Banachi@1974
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3092-133-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Contract form C2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YSNjC = "C:\\FSHLRPTB\\YSNjCU\\rCWFOTwkK.vbs" Contract form C2.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Contract form C2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Contract form C2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Contract form C2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Contract form C2.exedescription pid process target process PID 5020 set thread context of 3092 5020 Contract form C2.exe InstallUtil.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4504 3092 WerFault.exe InstallUtil.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
InstallUtil.exepid process 3092 InstallUtil.exe 3092 InstallUtil.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Contract form C2.exepid process 5020 Contract form C2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 3092 InstallUtil.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Contract form C2.exeInstallUtil.exedescription pid process target process PID 5020 wrote to memory of 3092 5020 Contract form C2.exe InstallUtil.exe PID 5020 wrote to memory of 3092 5020 Contract form C2.exe InstallUtil.exe PID 5020 wrote to memory of 3092 5020 Contract form C2.exe InstallUtil.exe PID 5020 wrote to memory of 3092 5020 Contract form C2.exe InstallUtil.exe PID 3092 wrote to memory of 3136 3092 InstallUtil.exe REG.exe PID 3092 wrote to memory of 3136 3092 InstallUtil.exe REG.exe PID 3092 wrote to memory of 3136 3092 InstallUtil.exe REG.exe PID 3092 wrote to memory of 1292 3092 InstallUtil.exe netsh.exe PID 3092 wrote to memory of 1292 3092 InstallUtil.exe netsh.exe PID 3092 wrote to memory of 1292 3092 InstallUtil.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Contract form C2.exe"C:\Users\Admin\AppData\Local\Temp\Contract form C2.exe"1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 15963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3092 -ip 30921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1292-140-0x0000000000000000-mapping.dmp
-
memory/3092-132-0x0000000000000000-mapping.dmp
-
memory/3092-133-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3092-135-0x00000000055A0000-0x0000000005632000-memory.dmpFilesize
584KB
-
memory/3092-136-0x0000000005740000-0x00000000057DC000-memory.dmpFilesize
624KB
-
memory/3092-137-0x0000000005C60000-0x0000000005CC6000-memory.dmpFilesize
408KB
-
memory/3092-139-0x00000000067B0000-0x0000000006800000-memory.dmpFilesize
320KB
-
memory/3136-138-0x0000000000000000-mapping.dmp
-
memory/5020-130-0x0000000000440000-0x0000000000564000-memory.dmpFilesize
1.1MB
-
memory/5020-131-0x0000000005810000-0x0000000005DB4000-memory.dmpFilesize
5.6MB
-
memory/5020-134-0x0000000002A20000-0x0000000002A23000-memory.dmpFilesize
12KB