Analysis
-
max time kernel
133s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:53
Static task
static1
Behavioral task
behavioral1
Sample
Information and requested documents.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Information and requested documents.exe
Resource
win10v2004-20220414-en
General
-
Target
Information and requested documents.exe
-
Size
758KB
-
MD5
c32cd33fadb4de3563ca97d7bf9df4ae
-
SHA1
b8ea747a906942e1089bafa3c253d8ca53b6acbc
-
SHA256
31c08b891a2cdd18895f42d331783f628cf27dca9ee41691e206fb0e6a57471e
-
SHA512
7b7a5342109ba84e1489271ce036d6e5b7eed0b498282e45f9944d2a451de9d988da8183c102e609ee60765af7dc600577fbda9ab7ae88732c8e8a0c8d433abd
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.hraspirations.com/ - Port:
21 - Username:
[email protected] - Password:
computer@147
Protocol: ftp- Host:
ftp://ftp.hraspirations.com/ - Port:
21 - Username:
[email protected] - Password:
computer@147
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1912-64-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/1912-65-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/1912-67-0x00000000004545BE-mapping.dmp family_agenttesla behavioral1/memory/1912-66-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/1912-69-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/1912-71-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Information and requested documents.exedescription pid process target process PID 1460 set thread context of 1912 1460 Information and requested documents.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Information and requested documents.exeRegSvcs.exepid process 1460 Information and requested documents.exe 1460 Information and requested documents.exe 1460 Information and requested documents.exe 1460 Information and requested documents.exe 1912 RegSvcs.exe 1912 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Information and requested documents.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1460 Information and requested documents.exe Token: SeDebugPrivilege 1912 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Information and requested documents.exedescription pid process target process PID 1460 wrote to memory of 1672 1460 Information and requested documents.exe schtasks.exe PID 1460 wrote to memory of 1672 1460 Information and requested documents.exe schtasks.exe PID 1460 wrote to memory of 1672 1460 Information and requested documents.exe schtasks.exe PID 1460 wrote to memory of 1672 1460 Information and requested documents.exe schtasks.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe PID 1460 wrote to memory of 1912 1460 Information and requested documents.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Information and requested documents.exe"C:\Users\Admin\AppData\Local\Temp\Information and requested documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sKoXlCyVjnsHf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmpFilesize
1KB
MD5e00179e571e3420584d26d838f6ad386
SHA1bb4cc3ce51947f3347f9fdac9ba9173e8bd39103
SHA256effb272b865378b9319e97fa1d522e955319e7d86f34c8d32777c58d4021a0e1
SHA51276384d537d71e91a956d0393b5b20439e53787903573f9cba9d8ebd8651510d103a8ab34251e356381513b326f19ae5432f4284cd5ac30a1f5c2956075dd3321
-
memory/1460-57-0x0000000001300000-0x000000000136E000-memory.dmpFilesize
440KB
-
memory/1460-56-0x0000000000270000-0x0000000000280000-memory.dmpFilesize
64KB
-
memory/1460-54-0x00000000013D0000-0x0000000001492000-memory.dmpFilesize
776KB
-
memory/1460-58-0x0000000000650000-0x00000000006A8000-memory.dmpFilesize
352KB
-
memory/1460-55-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB
-
memory/1672-59-0x0000000000000000-mapping.dmp
-
memory/1912-62-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1912-61-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1912-64-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1912-65-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1912-67-0x00000000004545BE-mapping.dmp
-
memory/1912-66-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1912-69-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1912-71-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB