Analysis
-
max time kernel
126s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:23
Static task
static1
Behavioral task
behavioral1
Sample
DOC PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOC PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
DOC PDF.exe
-
Size
687KB
-
MD5
95cbcdfe7d89c89c759303a0e845d8b1
-
SHA1
3950ee91663e1142e889208c474ebc7d36995d5c
-
SHA256
f82fcb01f1334b2885bc090c3bc8bc587f64919b9739e95ffe12c9e5d5bc11cd
-
SHA512
c00438306fe5bfae406db98ea71779745ebbe4643c2993fb12a47a13dca2de5c71ec40a81cbf8d9e7ad3901b6921ef9e46d7bd01d597c89df6a494ed20493e31
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.palcoman.com - Port:
587 - Username:
[email protected] - Password:
GgwWVBJ5
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4224-138-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DOC PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation DOC PDF.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gKWBf = "C:\\Users\\Admin\\AppData\\Roaming\\gKWBf\\gKWBf.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOC PDF.exedescription pid process target process PID 2940 set thread context of 4224 2940 DOC PDF.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
DOC PDF.exeRegSvcs.exepid process 2940 DOC PDF.exe 2940 DOC PDF.exe 2940 DOC PDF.exe 2940 DOC PDF.exe 4224 RegSvcs.exe 4224 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DOC PDF.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2940 DOC PDF.exe Token: SeDebugPrivilege 4224 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
DOC PDF.exeRegSvcs.exedescription pid process target process PID 2940 wrote to memory of 220 2940 DOC PDF.exe schtasks.exe PID 2940 wrote to memory of 220 2940 DOC PDF.exe schtasks.exe PID 2940 wrote to memory of 220 2940 DOC PDF.exe schtasks.exe PID 2940 wrote to memory of 4224 2940 DOC PDF.exe RegSvcs.exe PID 2940 wrote to memory of 4224 2940 DOC PDF.exe RegSvcs.exe PID 2940 wrote to memory of 4224 2940 DOC PDF.exe RegSvcs.exe PID 2940 wrote to memory of 4224 2940 DOC PDF.exe RegSvcs.exe PID 2940 wrote to memory of 4224 2940 DOC PDF.exe RegSvcs.exe PID 2940 wrote to memory of 4224 2940 DOC PDF.exe RegSvcs.exe PID 2940 wrote to memory of 4224 2940 DOC PDF.exe RegSvcs.exe PID 2940 wrote to memory of 4224 2940 DOC PDF.exe RegSvcs.exe PID 4224 wrote to memory of 4040 4224 RegSvcs.exe REG.exe PID 4224 wrote to memory of 4040 4224 RegSvcs.exe REG.exe PID 4224 wrote to memory of 4040 4224 RegSvcs.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC PDF.exe"C:\Users\Admin\AppData\Local\Temp\DOC PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AfRYffCadnbirk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B92.tmp"2⤵
- Creates scheduled task(s)
PID:220 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4224 -
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
PID:4040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3B92.tmpFilesize
1KB
MD5d4ed5b541fa6f461d950e23cf1921c7f
SHA15dddb448bf6ee1b5d6afa93f9749a17027da3627
SHA2565d87e455ac688baa023dd5549d9d1a43814f5a1dd44a050a8e386bff58cab58d
SHA51209e76e765278be7ef650c2624340c6554f93454d39afb7e0fffd2947702193392c9da87f45cc53cacf336e661ddacf7dcab7b173606bf474b4916c291b5555c6
-
memory/220-135-0x0000000000000000-mapping.dmp
-
memory/2940-130-0x0000000000B90000-0x0000000000C42000-memory.dmpFilesize
712KB
-
memory/2940-131-0x0000000005C20000-0x00000000061C4000-memory.dmpFilesize
5.6MB
-
memory/2940-132-0x0000000005670000-0x0000000005702000-memory.dmpFilesize
584KB
-
memory/2940-133-0x00000000055E0000-0x00000000055EA000-memory.dmpFilesize
40KB
-
memory/2940-134-0x00000000082E0000-0x000000000837C000-memory.dmpFilesize
624KB
-
memory/4040-141-0x0000000000000000-mapping.dmp
-
memory/4224-137-0x0000000000000000-mapping.dmp
-
memory/4224-138-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4224-139-0x0000000005710000-0x0000000005776000-memory.dmpFilesize
408KB
-
memory/4224-140-0x00000000067B0000-0x0000000006800000-memory.dmpFilesize
320KB