Analysis
-
max time kernel
95s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:44
Static task
static1
Behavioral task
behavioral1
Sample
ADNOC RFQ 978002410.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ADNOC RFQ 978002410.exe
Resource
win10v2004-20220414-en
General
-
Target
ADNOC RFQ 978002410.exe
-
Size
586KB
-
MD5
d7d8068a6359a97402ee1ba679eed000
-
SHA1
109ff6b8c1af7ab733f67e706231798db36a9021
-
SHA256
b973a1bfcaf8f0721dc829c3dd0455c6801e5b6e165bf8a3cf6a8bcdc78f31f2
-
SHA512
4ef0cab8340275dccd3c8c54c510824358c48c3aa94c945954477ac429d046efd5339ddc9b78ad16fe78349ba87697ac0b6c3fb4f0f8a07a20f3a0491bac0953
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gli-bar.com - Port:
587 - Username:
[email protected] - Password:
JXYO)o%bT9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1332-137-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ADNOC RFQ 978002410.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation ADNOC RFQ 978002410.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ADNOC RFQ 978002410.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ADNOC RFQ 978002410.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ADNOC RFQ 978002410.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ADNOC RFQ 978002410.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ADNOC RFQ 978002410.exedescription pid process target process PID 1964 set thread context of 1332 1964 ADNOC RFQ 978002410.exe ADNOC RFQ 978002410.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ADNOC RFQ 978002410.exepid process 1332 ADNOC RFQ 978002410.exe 1332 ADNOC RFQ 978002410.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ADNOC RFQ 978002410.exedescription pid process Token: SeDebugPrivilege 1332 ADNOC RFQ 978002410.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ADNOC RFQ 978002410.exedescription pid process target process PID 1964 wrote to memory of 672 1964 ADNOC RFQ 978002410.exe schtasks.exe PID 1964 wrote to memory of 672 1964 ADNOC RFQ 978002410.exe schtasks.exe PID 1964 wrote to memory of 672 1964 ADNOC RFQ 978002410.exe schtasks.exe PID 1964 wrote to memory of 1332 1964 ADNOC RFQ 978002410.exe ADNOC RFQ 978002410.exe PID 1964 wrote to memory of 1332 1964 ADNOC RFQ 978002410.exe ADNOC RFQ 978002410.exe PID 1964 wrote to memory of 1332 1964 ADNOC RFQ 978002410.exe ADNOC RFQ 978002410.exe PID 1964 wrote to memory of 1332 1964 ADNOC RFQ 978002410.exe ADNOC RFQ 978002410.exe PID 1964 wrote to memory of 1332 1964 ADNOC RFQ 978002410.exe ADNOC RFQ 978002410.exe PID 1964 wrote to memory of 1332 1964 ADNOC RFQ 978002410.exe ADNOC RFQ 978002410.exe PID 1964 wrote to memory of 1332 1964 ADNOC RFQ 978002410.exe ADNOC RFQ 978002410.exe PID 1964 wrote to memory of 1332 1964 ADNOC RFQ 978002410.exe ADNOC RFQ 978002410.exe -
outlook_office_path 1 IoCs
Processes:
ADNOC RFQ 978002410.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ADNOC RFQ 978002410.exe -
outlook_win_path 1 IoCs
Processes:
ADNOC RFQ 978002410.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ADNOC RFQ 978002410.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ADNOC RFQ 978002410.exe"C:\Users\Admin\AppData\Local\Temp\ADNOC RFQ 978002410.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YCehIP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F54.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ADNOC RFQ 978002410.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADNOC RFQ 978002410.exe.logFilesize
507B
MD576ffb2f33cb32ade8fc862a67599e9d8
SHA1920cc4ab75b36d2f9f6e979b74db568973c49130
SHA256f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310
SHA512f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e
-
C:\Users\Admin\AppData\Local\Temp\tmp6F54.tmpFilesize
1KB
MD53d6ff5a441ff84f0b878f38d83d3d415
SHA1b20193399b0d95d2f6bb643b48478ab28aabc560
SHA256ff57a31fc99aef10720f73302b14d08e7649626feb2f2f99add788b15b791227
SHA512e77e30dc1e8449608436875b3349b22ca665d6b4045e3cda73fa61170f7f6f7b37193ccaab9e992d27b6318d855fb50eee0c2b8ec2c0e873bc0fac3f78ba6c51
-
memory/672-134-0x0000000000000000-mapping.dmp
-
memory/1332-136-0x0000000000000000-mapping.dmp
-
memory/1332-137-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1332-139-0x00000000063D0000-0x0000000006436000-memory.dmpFilesize
408KB
-
memory/1332-140-0x0000000006BD0000-0x0000000006C20000-memory.dmpFilesize
320KB
-
memory/1332-141-0x0000000006D60000-0x0000000006D6A000-memory.dmpFilesize
40KB
-
memory/1964-130-0x0000000000380000-0x0000000000418000-memory.dmpFilesize
608KB
-
memory/1964-131-0x00000000052C0000-0x0000000005864000-memory.dmpFilesize
5.6MB
-
memory/1964-132-0x0000000004DB0000-0x0000000004E42000-memory.dmpFilesize
584KB
-
memory/1964-133-0x0000000004EF0000-0x0000000004F8C000-memory.dmpFilesize
624KB