Analysis
-
max time kernel
112s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:02
Static task
static1
Behavioral task
behavioral1
Sample
Signed Invoice, Shipment and Payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Signed Invoice, Shipment and Payment.exe
Resource
win10v2004-20220414-en
General
-
Target
Signed Invoice, Shipment and Payment.exe
-
Size
453KB
-
MD5
c7a425e4de5f5e6bf65547a72db0f972
-
SHA1
8899da2c5576fc11920dfede5330dc868e1b6b65
-
SHA256
c79e56ff3aa04021d7c99b5d638034780cafce941ff6039fb3bae407c1257e54
-
SHA512
95f0202a7c9a74bfb365c28acd710b9171b69beccdcd45bc387123e98b8dfab9f398ab39b8ba2fb9e3a5a1634b37949daf5b5eaad83560c502506b6862510da3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
HighKEY@#@@#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4112-134-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Signed Invoice, Shipment and Payment.exedescription pid process target process PID 3584 set thread context of 4112 3584 Signed Invoice, Shipment and Payment.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Signed Invoice, Shipment and Payment.exeRegSvcs.exepid process 3584 Signed Invoice, Shipment and Payment.exe 3584 Signed Invoice, Shipment and Payment.exe 3584 Signed Invoice, Shipment and Payment.exe 3584 Signed Invoice, Shipment and Payment.exe 3584 Signed Invoice, Shipment and Payment.exe 3584 Signed Invoice, Shipment and Payment.exe 4112 RegSvcs.exe 4112 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Signed Invoice, Shipment and Payment.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3584 Signed Invoice, Shipment and Payment.exe Token: SeDebugPrivilege 4112 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Signed Invoice, Shipment and Payment.exedescription pid process target process PID 3584 wrote to memory of 4112 3584 Signed Invoice, Shipment and Payment.exe RegSvcs.exe PID 3584 wrote to memory of 4112 3584 Signed Invoice, Shipment and Payment.exe RegSvcs.exe PID 3584 wrote to memory of 4112 3584 Signed Invoice, Shipment and Payment.exe RegSvcs.exe PID 3584 wrote to memory of 4112 3584 Signed Invoice, Shipment and Payment.exe RegSvcs.exe PID 3584 wrote to memory of 4112 3584 Signed Invoice, Shipment and Payment.exe RegSvcs.exe PID 3584 wrote to memory of 4112 3584 Signed Invoice, Shipment and Payment.exe RegSvcs.exe PID 3584 wrote to memory of 4112 3584 Signed Invoice, Shipment and Payment.exe RegSvcs.exe PID 3584 wrote to memory of 4112 3584 Signed Invoice, Shipment and Payment.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Signed Invoice, Shipment and Payment.exe"C:\Users\Admin\AppData\Local\Temp\Signed Invoice, Shipment and Payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3584-130-0x0000000000F80000-0x0000000000FF8000-memory.dmpFilesize
480KB
-
memory/3584-131-0x0000000005C00000-0x0000000005C9C000-memory.dmpFilesize
624KB
-
memory/3584-132-0x0000000005EB0000-0x0000000005F42000-memory.dmpFilesize
584KB
-
memory/4112-133-0x0000000000000000-mapping.dmp
-
memory/4112-134-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4112-135-0x0000000005BE0000-0x0000000006184000-memory.dmpFilesize
5.6MB
-
memory/4112-136-0x00000000063D0000-0x0000000006436000-memory.dmpFilesize
408KB
-
memory/4112-137-0x0000000006990000-0x00000000069E0000-memory.dmpFilesize
320KB
-
memory/4112-138-0x0000000006A90000-0x0000000006A9A000-memory.dmpFilesize
40KB