Analysis
-
max time kernel
144s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:35
Static task
static1
Behavioral task
behavioral1
Sample
payment slip pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
payment slip pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
payment slip pdf.exe
-
Size
576KB
-
MD5
73446b4f7828240c2176f6dbac0db41e
-
SHA1
17a9f153ab2ce844a8e2ef1f21b674fdc63f827a
-
SHA256
9b8bfd519d8bbe5a7c285f61c73abef27b4e18a22076d036698ec943b5e61c01
-
SHA512
0b34eb5d9a57d4f5de8988e7f0e3abf5a58235e8e5a895cbd88aa606661a9f8182ceb96881fd2aeb2652351ec26baf51acb4350a827b802e0635af66c61a7aad
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
lFAvm@p#@z92
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
lFAvm@p#@z92
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5032-137-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
payment slip pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment slip pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment slip pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment slip pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
payment slip pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MJVkSQ = "C:\\Users\\Admin\\AppData\\Roaming\\MJVkSQ\\MJVkSQ.exe" payment slip pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment slip pdf.exedescription pid process target process PID 3364 set thread context of 5032 3364 payment slip pdf.exe payment slip pdf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
payment slip pdf.exepid process 5032 payment slip pdf.exe 5032 payment slip pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
payment slip pdf.exepid process 5032 payment slip pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
payment slip pdf.exedescription pid process Token: SeDebugPrivilege 5032 payment slip pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
payment slip pdf.exepayment slip pdf.exedescription pid process target process PID 3364 wrote to memory of 5032 3364 payment slip pdf.exe payment slip pdf.exe PID 3364 wrote to memory of 5032 3364 payment slip pdf.exe payment slip pdf.exe PID 3364 wrote to memory of 5032 3364 payment slip pdf.exe payment slip pdf.exe PID 3364 wrote to memory of 5032 3364 payment slip pdf.exe payment slip pdf.exe PID 3364 wrote to memory of 5032 3364 payment slip pdf.exe payment slip pdf.exe PID 3364 wrote to memory of 5032 3364 payment slip pdf.exe payment slip pdf.exe PID 3364 wrote to memory of 5032 3364 payment slip pdf.exe payment slip pdf.exe PID 3364 wrote to memory of 5032 3364 payment slip pdf.exe payment slip pdf.exe PID 5032 wrote to memory of 4964 5032 payment slip pdf.exe netsh.exe PID 5032 wrote to memory of 4964 5032 payment slip pdf.exe netsh.exe PID 5032 wrote to memory of 4964 5032 payment slip pdf.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
payment slip pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment slip pdf.exe -
outlook_win_path 1 IoCs
Processes:
payment slip pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment slip pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment slip pdf.exe"C:\Users\Admin\AppData\Local\Temp\payment slip pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment slip pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment slip pdf.exe.logFilesize
685B
MD564f7d1001f1b3c983776387519079574
SHA19696fb5ffd5597c12fc1ca6bcb7fe889f8cc9c2c
SHA256b7724fa480f240bb6e0131973d0f085d5fb0865677f277a2a306f4fa89c89485
SHA512bf81147d1a43290c845f788fbe633bf0ae8abff31a342b0278e525fdf65bd5294e797b3a11f375027e5b2c42d224459583d5a0e753f563d5034d4d7653d39eba
-
memory/3364-131-0x0000000000740000-0x00000000007D6000-memory.dmpFilesize
600KB
-
memory/3364-132-0x00000000056D0000-0x0000000005C74000-memory.dmpFilesize
5.6MB
-
memory/3364-133-0x00000000051C0000-0x0000000005252000-memory.dmpFilesize
584KB
-
memory/3364-134-0x0000000005F80000-0x0000000006106000-memory.dmpFilesize
1.5MB
-
memory/3364-135-0x0000000005C80000-0x0000000005D1C000-memory.dmpFilesize
624KB
-
memory/4964-140-0x0000000000000000-mapping.dmp
-
memory/5032-136-0x0000000000000000-mapping.dmp
-
memory/5032-137-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/5032-139-0x0000000005C50000-0x0000000005CB6000-memory.dmpFilesize
408KB
-
memory/5032-141-0x00000000067A0000-0x00000000067F0000-memory.dmpFilesize
320KB
-
memory/5032-142-0x0000000006980000-0x000000000698A000-memory.dmpFilesize
40KB