Analysis
-
max time kernel
117s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:55
Static task
static1
Behavioral task
behavioral1
Sample
purchase order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
purchase order.exe
Resource
win10v2004-20220414-en
General
-
Target
purchase order.exe
-
Size
482KB
-
MD5
cc8dd999e2986f15641dfad4362cf2a7
-
SHA1
abeb848ddcfba06a03ba90f4c55e28c56e47494c
-
SHA256
b6eecf6385766748acdbd8b0b350d9344f775495a0ca62a1dcca578d2b6100ca
-
SHA512
e43349ee45e8bed299a1cdbd0485f454f3c2dcc4f795e788541dc47860dda859584d34baef4306f4140783f9f39b6e6cb6f42da47e99428168511a0d59c147c0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pierreinsurancebrokers.com - Port:
587 - Username:
[email protected] - Password:
advisor@1234
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1124-62-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1124-61-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1124-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1124-64-0x0000000000446C5E-mapping.dmp family_agenttesla behavioral1/memory/1124-68-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1124-66-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
purchase order.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion purchase order.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion purchase order.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
purchase order.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum purchase order.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 purchase order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
purchase order.exedescription pid process target process PID 1280 set thread context of 1124 1280 purchase order.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1124 MSBuild.exe 1124 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1124 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
purchase order.exedescription pid process target process PID 1280 wrote to memory of 1292 1280 purchase order.exe schtasks.exe PID 1280 wrote to memory of 1292 1280 purchase order.exe schtasks.exe PID 1280 wrote to memory of 1292 1280 purchase order.exe schtasks.exe PID 1280 wrote to memory of 1292 1280 purchase order.exe schtasks.exe PID 1280 wrote to memory of 1124 1280 purchase order.exe MSBuild.exe PID 1280 wrote to memory of 1124 1280 purchase order.exe MSBuild.exe PID 1280 wrote to memory of 1124 1280 purchase order.exe MSBuild.exe PID 1280 wrote to memory of 1124 1280 purchase order.exe MSBuild.exe PID 1280 wrote to memory of 1124 1280 purchase order.exe MSBuild.exe PID 1280 wrote to memory of 1124 1280 purchase order.exe MSBuild.exe PID 1280 wrote to memory of 1124 1280 purchase order.exe MSBuild.exe PID 1280 wrote to memory of 1124 1280 purchase order.exe MSBuild.exe PID 1280 wrote to memory of 1124 1280 purchase order.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase order.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZDaFZwtnXm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC44A.tmp"2⤵
- Creates scheduled task(s)
PID:1292 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC44A.tmpFilesize
1KB
MD578f2284a3e1fbba8b3e8f89ab8fc24be
SHA1c29983a67df82a95405b06aff342c4015883384d
SHA256445684e4d5f72d053c1d26eb5c387404a23d6c0ccfbf0434289f147bbe83c2f4
SHA512e83ac7e229e1722af18bd8fe4ee2510911b39a4a3a69893794249265d8b49f7466fdfecdb965a7c7263c0e18be1b0bc7b6e9df1c2617b0ecbac30427ffa3ad9c
-
memory/1124-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1124-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1124-58-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1124-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1124-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1124-64-0x0000000000446C5E-mapping.dmp
-
memory/1124-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1124-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1124-70-0x0000000074190000-0x000000007473B000-memory.dmpFilesize
5.7MB
-
memory/1280-55-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1280-54-0x00000000756E1000-0x00000000756E3000-memory.dmpFilesize
8KB
-
memory/1292-56-0x0000000000000000-mapping.dmp