Analysis
-
max time kernel
154s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:56
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT_ADVICE.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PAYMENT_ADVICE.exe
Resource
win10v2004-20220414-en
General
-
Target
PAYMENT_ADVICE.exe
-
Size
556KB
-
MD5
662e8db037db250cea8c0de931d45b9f
-
SHA1
512842696fdc3751d6222da01d89c439cc12c27f
-
SHA256
b4e29b2c8ddeddb4aca873321f9d0ca3271c086ad5e624ca5c928751a49c5cef
-
SHA512
7b751218fe6ff04c80bc4a74fc7977f5f360b66a823133e093236ef1184bd0dae51184be9c9cba1178b86f0245e0a9b2884e0ceb5b2cf59dc633b1cb6844e52a
Malware Config
Extracted
Protocol: smtp- Host:
mail.kinangopdairy.co.ke - Port:
587 - Username:
[email protected] - Password:
Muiruri8080!
Extracted
agenttesla
Protocol: smtp- Host:
mail.kinangopdairy.co.ke - Port:
587 - Username:
[email protected] - Password:
Muiruri8080!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2180-139-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PAYMENT_ADVICE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PAYMENT_ADVICE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PAYMENT_ADVICE.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PAYMENT_ADVICE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation PAYMENT_ADVICE.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PAYMENT_ADVICE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PAYMENT_ADVICE.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PAYMENT_ADVICE.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PAYMENT_ADVICE.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PAYMENT_ADVICE.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PAYMENT_ADVICE.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PAYMENT_ADVICE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENT_ADVICE.exedescription pid process target process PID 3200 set thread context of 2180 3200 PAYMENT_ADVICE.exe PAYMENT_ADVICE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PAYMENT_ADVICE.exePAYMENT_ADVICE.exepid process 3200 PAYMENT_ADVICE.exe 2180 PAYMENT_ADVICE.exe 2180 PAYMENT_ADVICE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PAYMENT_ADVICE.exePAYMENT_ADVICE.exedescription pid process Token: SeDebugPrivilege 3200 PAYMENT_ADVICE.exe Token: SeDebugPrivilege 2180 PAYMENT_ADVICE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PAYMENT_ADVICE.exepid process 2180 PAYMENT_ADVICE.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PAYMENT_ADVICE.exedescription pid process target process PID 3200 wrote to memory of 3196 3200 PAYMENT_ADVICE.exe schtasks.exe PID 3200 wrote to memory of 3196 3200 PAYMENT_ADVICE.exe schtasks.exe PID 3200 wrote to memory of 3196 3200 PAYMENT_ADVICE.exe schtasks.exe PID 3200 wrote to memory of 2180 3200 PAYMENT_ADVICE.exe PAYMENT_ADVICE.exe PID 3200 wrote to memory of 2180 3200 PAYMENT_ADVICE.exe PAYMENT_ADVICE.exe PID 3200 wrote to memory of 2180 3200 PAYMENT_ADVICE.exe PAYMENT_ADVICE.exe PID 3200 wrote to memory of 2180 3200 PAYMENT_ADVICE.exe PAYMENT_ADVICE.exe PID 3200 wrote to memory of 2180 3200 PAYMENT_ADVICE.exe PAYMENT_ADVICE.exe PID 3200 wrote to memory of 2180 3200 PAYMENT_ADVICE.exe PAYMENT_ADVICE.exe PID 3200 wrote to memory of 2180 3200 PAYMENT_ADVICE.exe PAYMENT_ADVICE.exe PID 3200 wrote to memory of 2180 3200 PAYMENT_ADVICE.exe PAYMENT_ADVICE.exe -
outlook_office_path 1 IoCs
Processes:
PAYMENT_ADVICE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PAYMENT_ADVICE.exe -
outlook_win_path 1 IoCs
Processes:
PAYMENT_ADVICE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PAYMENT_ADVICE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT_ADVICE.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT_ADVICE.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lHnlXbBDY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2BA.tmp"2⤵
- Creates scheduled task(s)
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\PAYMENT_ADVICE.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT_ADVICE.exe.logFilesize
777B
MD5c84a5ef1e245a38defa80bc9bc98208e
SHA17fcafbc9c67cd658c51f63f39a588daf29dd00bd
SHA2566a03a0129dea0237de57aa8aa49e879df871f4d5d04750b5c0330ab18df47b1a
SHA5123d2fb670e845610734b6ae79793739693c474ab08dab257bf6ce98ff3cafd88a771d49e54c86e7be57664cb7186b858ca72322f3323bc0265bf2b6033cf26df8
-
C:\Users\Admin\AppData\Local\Temp\tmp2BA.tmpFilesize
1KB
MD5ef04715068fa51c1da594200e38c01c9
SHA176018f0923408320a3692115a3424912043add9c
SHA256d4f9b17043dbe8995d5288e1e7c352a82f0c38d80c3789c3a0b402e6f7f24032
SHA512414ec2b40b2eef1dfbdc2f7afb1cac7d334eddaf98f632b9945431a06ae0bc18d47683253acea3cea1dc8e30cc2526c8a22f26a27773fdcecf59f94ee9def81b
-
memory/2180-138-0x0000000000000000-mapping.dmp
-
memory/2180-139-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2180-141-0x0000000006120000-0x0000000006170000-memory.dmpFilesize
320KB
-
memory/3196-136-0x0000000000000000-mapping.dmp
-
memory/3200-130-0x0000000000CC0000-0x0000000000D52000-memory.dmpFilesize
584KB
-
memory/3200-131-0x0000000005BC0000-0x0000000006164000-memory.dmpFilesize
5.6MB
-
memory/3200-132-0x0000000005710000-0x00000000057A2000-memory.dmpFilesize
584KB
-
memory/3200-133-0x0000000006350000-0x00000000064D6000-memory.dmpFilesize
1.5MB
-
memory/3200-134-0x0000000006170000-0x000000000620C000-memory.dmpFilesize
624KB
-
memory/3200-135-0x00000000014D0000-0x0000000001536000-memory.dmpFilesize
408KB