Analysis
-
max time kernel
132s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:35
Static task
static1
Behavioral task
behavioral1
Sample
payment slip pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
payment slip pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
payment slip pdf.exe
-
Size
576KB
-
MD5
73446b4f7828240c2176f6dbac0db41e
-
SHA1
17a9f153ab2ce844a8e2ef1f21b674fdc63f827a
-
SHA256
9b8bfd519d8bbe5a7c285f61c73abef27b4e18a22076d036698ec943b5e61c01
-
SHA512
0b34eb5d9a57d4f5de8988e7f0e3abf5a58235e8e5a895cbd88aa606661a9f8182ceb96881fd2aeb2652351ec26baf51acb4350a827b802e0635af66c61a7aad
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
lFAvm@p#@z92
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1756-61-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1756-62-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1756-63-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1756-64-0x000000000044C3DE-mapping.dmp family_agenttesla behavioral1/memory/1756-66-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1756-68-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
payment slip pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment slip pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment slip pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment slip pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
payment slip pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MJVkSQ = "C:\\Users\\Admin\\AppData\\Roaming\\MJVkSQ\\MJVkSQ.exe" payment slip pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment slip pdf.exedescription pid process target process PID 1712 set thread context of 1756 1712 payment slip pdf.exe payment slip pdf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
payment slip pdf.exepid process 1756 payment slip pdf.exe 1756 payment slip pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
payment slip pdf.exepid process 1756 payment slip pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
payment slip pdf.exedescription pid process Token: SeDebugPrivilege 1756 payment slip pdf.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
payment slip pdf.exepayment slip pdf.exedescription pid process target process PID 1712 wrote to memory of 1756 1712 payment slip pdf.exe payment slip pdf.exe PID 1712 wrote to memory of 1756 1712 payment slip pdf.exe payment slip pdf.exe PID 1712 wrote to memory of 1756 1712 payment slip pdf.exe payment slip pdf.exe PID 1712 wrote to memory of 1756 1712 payment slip pdf.exe payment slip pdf.exe PID 1712 wrote to memory of 1756 1712 payment slip pdf.exe payment slip pdf.exe PID 1712 wrote to memory of 1756 1712 payment slip pdf.exe payment slip pdf.exe PID 1712 wrote to memory of 1756 1712 payment slip pdf.exe payment slip pdf.exe PID 1712 wrote to memory of 1756 1712 payment slip pdf.exe payment slip pdf.exe PID 1712 wrote to memory of 1756 1712 payment slip pdf.exe payment slip pdf.exe PID 1756 wrote to memory of 1508 1756 payment slip pdf.exe netsh.exe PID 1756 wrote to memory of 1508 1756 payment slip pdf.exe netsh.exe PID 1756 wrote to memory of 1508 1756 payment slip pdf.exe netsh.exe PID 1756 wrote to memory of 1508 1756 payment slip pdf.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
payment slip pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment slip pdf.exe -
outlook_win_path 1 IoCs
Processes:
payment slip pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment slip pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment slip pdf.exe"C:\Users\Admin\AppData\Local\Temp\payment slip pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment slip pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1508-70-0x0000000000000000-mapping.dmp
-
memory/1712-54-0x0000000000D30000-0x0000000000DC6000-memory.dmpFilesize
600KB
-
memory/1712-55-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1712-56-0x0000000000800000-0x000000000080A000-memory.dmpFilesize
40KB
-
memory/1712-57-0x0000000004F50000-0x0000000004FA8000-memory.dmpFilesize
352KB
-
memory/1756-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1756-59-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1756-62-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1756-63-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1756-64-0x000000000044C3DE-mapping.dmp
-
memory/1756-66-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1756-68-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1756-58-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB