Analysis
-
max time kernel
111s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:50
Static task
static1
Behavioral task
behavioral1
Sample
Contract form C2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Contract form C2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Payment Bid Reference.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Payment Bid Reference.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment Bid Reference.exe
-
Size
1.1MB
-
MD5
61cd9cf4bdb92c7b87610c6ca3bbb9f2
-
SHA1
98eb1b85c2f5a4df9d964089b7ef73e11ab299cb
-
SHA256
5e5d665f261aacccd45ce0cdeb9c09190918eca48adf692919446bf5a2b8b2ba
-
SHA512
f197d5cf146577569657b919c259ebcbf5779e4e7946101a720cd7929833b17b472008b175ddd553fc6f302c3d5f268a31ee1fc0669f5dbf127cb10ab345093f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mapi.diplemailsrvr.com - Port:
587 - Username:
[email protected] - Password:
Banachi@1974
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/1960-58-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Payment Bid Reference.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YSNjC = "C:\\TVHJCWMH\\YSNjCU\\rCWFOTwkK.vbs" Payment Bid Reference.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Payment Bid Reference.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Payment Bid Reference.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Payment Bid Reference.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Bid Reference.exedescription pid process target process PID 2020 set thread context of 1960 2020 Payment Bid Reference.exe InstallUtil.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
InstallUtil.exepid process 1960 InstallUtil.exe 1960 InstallUtil.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Payment Bid Reference.exepid process 2020 Payment Bid Reference.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 1960 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid process 1960 InstallUtil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Payment Bid Reference.exeInstallUtil.exedescription pid process target process PID 2020 wrote to memory of 1960 2020 Payment Bid Reference.exe InstallUtil.exe PID 2020 wrote to memory of 1960 2020 Payment Bid Reference.exe InstallUtil.exe PID 2020 wrote to memory of 1960 2020 Payment Bid Reference.exe InstallUtil.exe PID 2020 wrote to memory of 1960 2020 Payment Bid Reference.exe InstallUtil.exe PID 2020 wrote to memory of 1960 2020 Payment Bid Reference.exe InstallUtil.exe PID 2020 wrote to memory of 1960 2020 Payment Bid Reference.exe InstallUtil.exe PID 2020 wrote to memory of 1960 2020 Payment Bid Reference.exe InstallUtil.exe PID 2020 wrote to memory of 1960 2020 Payment Bid Reference.exe InstallUtil.exe PID 1960 wrote to memory of 1720 1960 InstallUtil.exe REG.exe PID 1960 wrote to memory of 1720 1960 InstallUtil.exe REG.exe PID 1960 wrote to memory of 1720 1960 InstallUtil.exe REG.exe PID 1960 wrote to memory of 1720 1960 InstallUtil.exe REG.exe PID 1960 wrote to memory of 1888 1960 InstallUtil.exe netsh.exe PID 1960 wrote to memory of 1888 1960 InstallUtil.exe netsh.exe PID 1960 wrote to memory of 1888 1960 InstallUtil.exe netsh.exe PID 1960 wrote to memory of 1888 1960 InstallUtil.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Bid Reference.exe"C:\Users\Admin\AppData\Local\Temp\Payment Bid Reference.exe"1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1720-60-0x0000000000000000-mapping.dmp
-
memory/1888-61-0x0000000000000000-mapping.dmp
-
memory/1960-56-0x000000000044A9FE-mapping.dmp
-
memory/1960-58-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1960-59-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/2020-54-0x0000000000370000-0x0000000000494000-memory.dmpFilesize
1.1MB
-
memory/2020-55-0x0000000004210000-0x000000000428C000-memory.dmpFilesize
496KB
-
memory/2020-57-0x00000000004B0000-0x00000000004B3000-memory.dmpFilesize
12KB