Analysis
-
max time kernel
134s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:17
Static task
static1
Behavioral task
behavioral1
Sample
Penalty OrderKRA202020882831.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Penalty OrderKRA202020882831.exe
Resource
win10v2004-20220414-en
General
-
Target
Penalty OrderKRA202020882831.exe
-
Size
424KB
-
MD5
83ffaf5f8729b1a4ff7428a5082e4c71
-
SHA1
b199ad3a800fcd13767a4013d3f04858d9ccf4ae
-
SHA256
9188e0249f301926e45fe1247169c6f08f7a6dbf617af223bf9af5f9e4a4746f
-
SHA512
13d7279558b3e826d3e0efbd43820a3e623f97ae61f756de4d213ae3b8e418828ed6dcfe3f8051fab0b8424a1c94b98ab8e036662bdf660a2ec4060aa605bd67
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.chirophysic.co.ke - Port:
587 - Username:
[email protected] - Password:
hungry11111@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1712-62-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1712-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1712-64-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1712-65-0x000000000044762E-mapping.dmp family_agenttesla behavioral1/memory/1712-67-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1712-69-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1376-56-0x00000000041E0000-0x0000000004234000-memory.dmp rezer0 -
Drops file in Drivers directory 1 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Penalty OrderKRA202020882831.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Penalty OrderKRA202020882831.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Penalty OrderKRA202020882831.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Penalty OrderKRA202020882831.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription pid process target process PID 1376 set thread context of 1712 1376 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Penalty OrderKRA202020882831.exepid process 1712 Penalty OrderKRA202020882831.exe 1712 Penalty OrderKRA202020882831.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription pid process Token: SeDebugPrivilege 1712 Penalty OrderKRA202020882831.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Penalty OrderKRA202020882831.exePenalty OrderKRA202020882831.exedescription pid process target process PID 1376 wrote to memory of 1320 1376 Penalty OrderKRA202020882831.exe schtasks.exe PID 1376 wrote to memory of 1320 1376 Penalty OrderKRA202020882831.exe schtasks.exe PID 1376 wrote to memory of 1320 1376 Penalty OrderKRA202020882831.exe schtasks.exe PID 1376 wrote to memory of 1320 1376 Penalty OrderKRA202020882831.exe schtasks.exe PID 1376 wrote to memory of 1712 1376 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 1376 wrote to memory of 1712 1376 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 1376 wrote to memory of 1712 1376 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 1376 wrote to memory of 1712 1376 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 1376 wrote to memory of 1712 1376 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 1376 wrote to memory of 1712 1376 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 1376 wrote to memory of 1712 1376 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 1376 wrote to memory of 1712 1376 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 1376 wrote to memory of 1712 1376 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 1712 wrote to memory of 824 1712 Penalty OrderKRA202020882831.exe REG.exe PID 1712 wrote to memory of 824 1712 Penalty OrderKRA202020882831.exe REG.exe PID 1712 wrote to memory of 824 1712 Penalty OrderKRA202020882831.exe REG.exe PID 1712 wrote to memory of 824 1712 Penalty OrderKRA202020882831.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Penalty OrderKRA202020882831.exe -
outlook_win_path 1 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Penalty OrderKRA202020882831.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Penalty OrderKRA202020882831.exe"C:\Users\Admin\AppData\Local\Temp\Penalty OrderKRA202020882831.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pVscVsXY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Penalty OrderKRA202020882831.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmpFilesize
1KB
MD564b2d3ecbe2961d3180eaf403e024725
SHA1ebc50cdbddce429d26761d5a5ac2ac58c1d2feef
SHA2560433c2000df9baa477653a83d4c4458106a6070fcb43da4d465cef77f3932911
SHA512d9d1dc11fe0d1139cdd7f3ce5da885b8247aa1a761e7812eccb5061e614af384636a5f5e1b58805bb3e20db6873d77fc8d62da038c2af51c4d7b9c7dbdada003
-
memory/824-71-0x0000000000000000-mapping.dmp
-
memory/1320-57-0x0000000000000000-mapping.dmp
-
memory/1376-54-0x00000000008A0000-0x0000000000910000-memory.dmpFilesize
448KB
-
memory/1376-55-0x0000000000230000-0x0000000000242000-memory.dmpFilesize
72KB
-
memory/1376-56-0x00000000041E0000-0x0000000004234000-memory.dmpFilesize
336KB
-
memory/1712-60-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1712-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1712-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1712-64-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1712-65-0x000000000044762E-mapping.dmp
-
memory/1712-67-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1712-69-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1712-70-0x0000000075361000-0x0000000075363000-memory.dmpFilesize
8KB
-
memory/1712-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB