Analysis
-
max time kernel
173s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:34
Static task
static1
Behavioral task
behavioral1
Sample
PO10007986.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO10007986.exe
Resource
win10v2004-20220414-en
General
-
Target
PO10007986.exe
-
Size
714KB
-
MD5
e8975481528a738ad90dfb17f18ab9d6
-
SHA1
886051a6c3c292f1fcb0dc37496eab10ed57c865
-
SHA256
77a1ede94526537eaafb97d3988163df0f3cd6887d762faa2db61e49bdeefc02
-
SHA512
4157640c3749bf81ede2e96437af10d43e5d9b79ab1b838fe170ebcd185f1dcf2c23b3523834f0f55e5dda752f70d246d445e15ed9f4bb2f969046f1c26364ef
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.malkocbebe.com - Port:
587 - Username:
[email protected] - Password:
Malkoc2020*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4740-135-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO10007986.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation PO10007986.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PO10007986.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO10007986.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO10007986.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO10007986.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO10007986.exedescription pid process target process PID 2696 set thread context of 4740 2696 PO10007986.exe PO10007986.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
PO10007986.exePO10007986.exepid process 2696 PO10007986.exe 2696 PO10007986.exe 2696 PO10007986.exe 2696 PO10007986.exe 2696 PO10007986.exe 2696 PO10007986.exe 2696 PO10007986.exe 2696 PO10007986.exe 4740 PO10007986.exe 4740 PO10007986.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO10007986.exePO10007986.exedescription pid process Token: SeDebugPrivilege 2696 PO10007986.exe Token: SeDebugPrivilege 4740 PO10007986.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PO10007986.exedescription pid process target process PID 2696 wrote to memory of 5028 2696 PO10007986.exe schtasks.exe PID 2696 wrote to memory of 5028 2696 PO10007986.exe schtasks.exe PID 2696 wrote to memory of 5028 2696 PO10007986.exe schtasks.exe PID 2696 wrote to memory of 644 2696 PO10007986.exe PO10007986.exe PID 2696 wrote to memory of 644 2696 PO10007986.exe PO10007986.exe PID 2696 wrote to memory of 644 2696 PO10007986.exe PO10007986.exe PID 2696 wrote to memory of 4740 2696 PO10007986.exe PO10007986.exe PID 2696 wrote to memory of 4740 2696 PO10007986.exe PO10007986.exe PID 2696 wrote to memory of 4740 2696 PO10007986.exe PO10007986.exe PID 2696 wrote to memory of 4740 2696 PO10007986.exe PO10007986.exe PID 2696 wrote to memory of 4740 2696 PO10007986.exe PO10007986.exe PID 2696 wrote to memory of 4740 2696 PO10007986.exe PO10007986.exe PID 2696 wrote to memory of 4740 2696 PO10007986.exe PO10007986.exe PID 2696 wrote to memory of 4740 2696 PO10007986.exe PO10007986.exe -
outlook_office_path 1 IoCs
Processes:
PO10007986.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO10007986.exe -
outlook_win_path 1 IoCs
Processes:
PO10007986.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO10007986.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO10007986.exe"C:\Users\Admin\AppData\Local\Temp\PO10007986.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zKxRUWZXnCauW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA539.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO10007986.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\PO10007986.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PO10007986.exe.logFilesize
496B
MD57baa6583f69f63f7230df9bf98448356
SHA1fe9eb85b57192362da704a3c130377fe83862320
SHA256a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f
SHA5120e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051
-
C:\Users\Admin\AppData\Local\Temp\tmpA539.tmpFilesize
1KB
MD54c35cbe0f1dd82776c9ad047177452fa
SHA1a197d7c32044ce36481f84adfa0cd63569e18bd1
SHA256791914dd29f17dd3b0d415705cf0285e51ecb5c1f8eb0099a6fd20e66fe7aae0
SHA512616898c0425a5481e4a8515554b22ee2a2c35d27cb603a9fd1a45716876cae2ecf2bb6fd3cb5648faaceea31334cf0307bf45270fcd81f3f8cf2675c9a6ff1d5
-
memory/644-133-0x0000000000000000-mapping.dmp
-
memory/2696-130-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/4740-134-0x0000000000000000-mapping.dmp
-
memory/4740-135-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4740-137-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/5028-131-0x0000000000000000-mapping.dmp