Analysis
-
max time kernel
118s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:17
Static task
static1
Behavioral task
behavioral1
Sample
Penalty OrderKRA202020882831.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Penalty OrderKRA202020882831.exe
Resource
win10v2004-20220414-en
General
-
Target
Penalty OrderKRA202020882831.exe
-
Size
424KB
-
MD5
83ffaf5f8729b1a4ff7428a5082e4c71
-
SHA1
b199ad3a800fcd13767a4013d3f04858d9ccf4ae
-
SHA256
9188e0249f301926e45fe1247169c6f08f7a6dbf617af223bf9af5f9e4a4746f
-
SHA512
13d7279558b3e826d3e0efbd43820a3e623f97ae61f756de4d213ae3b8e418828ed6dcfe3f8051fab0b8424a1c94b98ab8e036662bdf660a2ec4060aa605bd67
Malware Config
Extracted
Protocol: smtp- Host:
mail.chirophysic.co.ke - Port:
587 - Username:
[email protected] - Password:
hungry11111@
Extracted
agenttesla
Protocol: smtp- Host:
mail.chirophysic.co.ke - Port:
587 - Username:
[email protected] - Password:
hungry11111@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4972-137-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Penalty OrderKRA202020882831.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Penalty OrderKRA202020882831.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Penalty OrderKRA202020882831.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Penalty OrderKRA202020882831.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Penalty OrderKRA202020882831.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Penalty OrderKRA202020882831.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription pid process target process PID 2424 set thread context of 4972 2424 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Penalty OrderKRA202020882831.exepid process 4972 Penalty OrderKRA202020882831.exe 4972 Penalty OrderKRA202020882831.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription pid process Token: SeDebugPrivilege 4972 Penalty OrderKRA202020882831.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Penalty OrderKRA202020882831.exePenalty OrderKRA202020882831.exedescription pid process target process PID 2424 wrote to memory of 4692 2424 Penalty OrderKRA202020882831.exe schtasks.exe PID 2424 wrote to memory of 4692 2424 Penalty OrderKRA202020882831.exe schtasks.exe PID 2424 wrote to memory of 4692 2424 Penalty OrderKRA202020882831.exe schtasks.exe PID 2424 wrote to memory of 4972 2424 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 2424 wrote to memory of 4972 2424 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 2424 wrote to memory of 4972 2424 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 2424 wrote to memory of 4972 2424 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 2424 wrote to memory of 4972 2424 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 2424 wrote to memory of 4972 2424 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 2424 wrote to memory of 4972 2424 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 2424 wrote to memory of 4972 2424 Penalty OrderKRA202020882831.exe Penalty OrderKRA202020882831.exe PID 4972 wrote to memory of 4032 4972 Penalty OrderKRA202020882831.exe REG.exe PID 4972 wrote to memory of 4032 4972 Penalty OrderKRA202020882831.exe REG.exe PID 4972 wrote to memory of 4032 4972 Penalty OrderKRA202020882831.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Penalty OrderKRA202020882831.exe -
outlook_win_path 1 IoCs
Processes:
Penalty OrderKRA202020882831.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Penalty OrderKRA202020882831.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Penalty OrderKRA202020882831.exe"C:\Users\Admin\AppData\Local\Temp\Penalty OrderKRA202020882831.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pVscVsXY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25B8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Penalty OrderKRA202020882831.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp25B8.tmpFilesize
1KB
MD5e71252e374333bf67f0d43bea7206580
SHA122e7ffdecf1dbc3a79b95b63f408c1e4c3383f46
SHA256b2d0cda23079985630ec79ee22cda97f079db9db93bcf37e4ee336a48973c11e
SHA512603a565a586e6e10bb3ce59c0c3cb8ebbb9b5d8f0a40cadf769233bbe8ca3744669dff3144c10e9f0771141cce469a8e160479f17be68cad8262aa60e851ae6d
-
memory/2424-130-0x0000000000E10000-0x0000000000E80000-memory.dmpFilesize
448KB
-
memory/2424-131-0x00000000058B0000-0x000000000594C000-memory.dmpFilesize
624KB
-
memory/2424-132-0x0000000005950000-0x00000000059E2000-memory.dmpFilesize
584KB
-
memory/2424-133-0x0000000006730000-0x0000000006CD4000-memory.dmpFilesize
5.6MB
-
memory/4032-140-0x0000000000000000-mapping.dmp
-
memory/4692-134-0x0000000000000000-mapping.dmp
-
memory/4972-136-0x0000000000000000-mapping.dmp
-
memory/4972-137-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4972-138-0x0000000005550000-0x00000000055B6000-memory.dmpFilesize
408KB
-
memory/4972-139-0x0000000006260000-0x00000000062B0000-memory.dmpFilesize
320KB
-
memory/4972-141-0x00000000064D0000-0x00000000064DA000-memory.dmpFilesize
40KB