Analysis
-
max time kernel
91s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:50
Static task
static1
Behavioral task
behavioral1
Sample
Contract form C2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Contract form C2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Payment Bid Reference.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Payment Bid Reference.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment Bid Reference.exe
-
Size
1.1MB
-
MD5
61cd9cf4bdb92c7b87610c6ca3bbb9f2
-
SHA1
98eb1b85c2f5a4df9d964089b7ef73e11ab299cb
-
SHA256
5e5d665f261aacccd45ce0cdeb9c09190918eca48adf692919446bf5a2b8b2ba
-
SHA512
f197d5cf146577569657b919c259ebcbf5779e4e7946101a720cd7929833b17b472008b175ddd553fc6f302c3d5f268a31ee1fc0669f5dbf127cb10ab345093f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mapi.diplemailsrvr.com - Port:
587 - Username:
[email protected] - Password:
Banachi@1974
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/4700-134-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Payment Bid Reference.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YSNjC = "C:\\JVJHUWZP\\YSNjCU\\rCWFOTwkK.vbs" Payment Bid Reference.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Payment Bid Reference.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Payment Bid Reference.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Payment Bid Reference.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Bid Reference.exedescription pid process target process PID 3476 set thread context of 4700 3476 Payment Bid Reference.exe InstallUtil.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4228 4700 WerFault.exe InstallUtil.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
InstallUtil.exepid process 4700 InstallUtil.exe 4700 InstallUtil.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Payment Bid Reference.exepid process 3476 Payment Bid Reference.exe 3476 Payment Bid Reference.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 4700 InstallUtil.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Payment Bid Reference.exeInstallUtil.exedescription pid process target process PID 3476 wrote to memory of 4672 3476 Payment Bid Reference.exe InstallUtil.exe PID 3476 wrote to memory of 4672 3476 Payment Bid Reference.exe InstallUtil.exe PID 3476 wrote to memory of 4672 3476 Payment Bid Reference.exe InstallUtil.exe PID 3476 wrote to memory of 4700 3476 Payment Bid Reference.exe InstallUtil.exe PID 3476 wrote to memory of 4700 3476 Payment Bid Reference.exe InstallUtil.exe PID 3476 wrote to memory of 4700 3476 Payment Bid Reference.exe InstallUtil.exe PID 3476 wrote to memory of 4700 3476 Payment Bid Reference.exe InstallUtil.exe PID 4700 wrote to memory of 4544 4700 InstallUtil.exe REG.exe PID 4700 wrote to memory of 4544 4700 InstallUtil.exe REG.exe PID 4700 wrote to memory of 4544 4700 InstallUtil.exe REG.exe PID 4700 wrote to memory of 208 4700 InstallUtil.exe netsh.exe PID 4700 wrote to memory of 208 4700 InstallUtil.exe netsh.exe PID 4700 wrote to memory of 208 4700 InstallUtil.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Bid Reference.exe"C:\Users\Admin\AppData\Local\Temp\Payment Bid Reference.exe"1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 15843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4700 -ip 47001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/208-140-0x0000000000000000-mapping.dmp
-
memory/3476-130-0x0000000000210000-0x0000000000334000-memory.dmpFilesize
1.1MB
-
memory/3476-131-0x0000000005340000-0x00000000058E4000-memory.dmpFilesize
5.6MB
-
memory/3476-133-0x0000000004C00000-0x0000000004C03000-memory.dmpFilesize
12KB
-
memory/4544-138-0x0000000000000000-mapping.dmp
-
memory/4700-132-0x0000000000000000-mapping.dmp
-
memory/4700-134-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4700-135-0x0000000005700000-0x0000000005792000-memory.dmpFilesize
584KB
-
memory/4700-136-0x00000000059E0000-0x0000000005A7C000-memory.dmpFilesize
624KB
-
memory/4700-137-0x0000000005E80000-0x0000000005EE6000-memory.dmpFilesize
408KB
-
memory/4700-139-0x0000000006E80000-0x0000000006ED0000-memory.dmpFilesize
320KB