Overview

overview

10

Static

static

10

Please Con...ss.exe

windows7_x64

10

Please Con...ss.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    193s
  • max time network
    202s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Please Confirm Your Shipment Address.exe

  • Size

    4.6MB

  • MD5

    ffab58789a8d188f10ae6b7a9c73c36a

  • SHA1

    48bf4df2095bf4bb8fa53ddd10fbb0fef80dc494

  • SHA256

    f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea

  • SHA512

    c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Please Confirm Your Shipment Address.exe
    "C:\Users\Admin\AppData\Local\Temp\Please Confirm Your Shipment Address.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Processs /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\Mecury.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Processs /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\Mecury.exe"
        3⤵
        • Adds Run key to start application
        PID:4964
    • C:\Users\Admin\AppData\Local\Mecury.exe
      "C:\Users\Admin\AppData\Local\Mecury.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Mecury.exe
    Filesize

    4.6MB

    MD5

    ffab58789a8d188f10ae6b7a9c73c36a

    SHA1

    48bf4df2095bf4bb8fa53ddd10fbb0fef80dc494

    SHA256

    f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea

    SHA512

    c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c

    Download Submit
  • C:\Users\Admin\AppData\Local\Mecury.exe
    Filesize

    4.6MB

    MD5

    ffab58789a8d188f10ae6b7a9c73c36a

    SHA1

    48bf4df2095bf4bb8fa53ddd10fbb0fef80dc494

    SHA256

    f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea

    SHA512

    c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c

    Download Submit
  • memory/3172-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4340-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4352-130-0x0000000000010000-0x00000000004B6000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/4352-131-0x0000000005B20000-0x00000000060C4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4352-132-0x0000000005610000-0x00000000056A2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4352-133-0x0000000005A40000-0x0000000005A84000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4964-135-0x0000000000000000-mapping.dmp
    Download