Analysis
-
max time kernel
135s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:59
Static task
static1
Behavioral task
behavioral1
Sample
YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe
-
Size
438KB
-
MD5
1fb477f037a5781626e07de476928154
-
SHA1
d73e53aba93e68cd66c9f68bdce0d1a61d8e7cfe
-
SHA256
cdbac6d4c4c6c722cf135d95f1c0e3d818dc660039ff4ad802c8ce4cc0f7145b
-
SHA512
60d41f5b320d3f29f89b163ebb70e4b06301d0ea6906acafb99e413258fe4d0976580f3f393f10f15590ba30b47edcf6c963163c62e91a02d300a73c6036517c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.greebals.gr - Port:
587 - Username:
[email protected] - Password:
g#BE=fpMXx@B
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1076-61-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1076-62-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1076-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1076-64-0x0000000000447B1E-mapping.dmp family_agenttesla behavioral1/memory/1076-66-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1076-68-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exedescription pid process target process PID 1080 set thread context of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exeRegSvcs.exepid process 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe 1076 RegSvcs.exe 1076 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe Token: SeDebugPrivilege 1076 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exeRegSvcs.exedescription pid process target process PID 1080 wrote to memory of 1348 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe schtasks.exe PID 1080 wrote to memory of 1348 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe schtasks.exe PID 1080 wrote to memory of 1348 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe schtasks.exe PID 1080 wrote to memory of 1348 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe schtasks.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1080 wrote to memory of 1076 1080 YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe RegSvcs.exe PID 1076 wrote to memory of 568 1076 RegSvcs.exe REG.exe PID 1076 wrote to memory of 568 1076 RegSvcs.exe REG.exe PID 1076 wrote to memory of 568 1076 RegSvcs.exe REG.exe PID 1076 wrote to memory of 568 1076 RegSvcs.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe"C:\Users\Admin\AppData\Local\Temp\YOKOHAMA TYRE VIETNAM INC RFQ_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\weKIli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp363E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / v NoRun / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp363E.tmpFilesize
1KB
MD5252bd96e80567dd80d8ca597b22ffb00
SHA1497093a8a4e56093224cb7b67e7a1425b0be4999
SHA256108fe759ff3e03511d8df4c40355daba49af355a7ee7ab25a02f3a8c742802ef
SHA512f10f21dda586b8ed22decc37c15cda953fdbdb6eae14bd0b0e28a56ba74a2ee5bf0a619cd1f58e51fda7db89e6666d73d6efc6775744a65c9f617658d2e5d347
-
memory/568-71-0x0000000000000000-mapping.dmp
-
memory/1076-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1076-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1076-58-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1076-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1076-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1076-64-0x0000000000447B1E-mapping.dmp
-
memory/1076-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1076-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1076-70-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/1080-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1080-55-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/1348-56-0x0000000000000000-mapping.dmp