Overview

overview

10

Static

static

Proposal catalog.exe

windows7_x64

10

Proposal catalog.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proposal catalog.exe

  • Size

    703KB

  • MD5

    0099266be4fb71dfc25be49fb34df81a

  • SHA1

    3e8580f27bcdae7564f719110d8592a030c7c25e

  • SHA256

    a1ec16ea0d0f8133dfb05368d5137b6e49d90039dddabe9bb46b3bbc5278fc26

  • SHA512

    8f97a6ca5e9158d73b29da4845e64794e553637d383cf700a4b293d0b34b8b88140707707830cafdfaf3359a97fcfaac19caac420aeb34950fee07d3610ce486

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    gallery

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proposal catalog.exe
    "C:\Users\Admin\AppData\Local\Temp\Proposal catalog.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6987.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4460
    • C:\Users\Admin\AppData\Local\Temp\Proposal catalog.exe
      "{path}"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Proposal catalog.exe.log
    Filesize

    496B

    MD5

    7baa6583f69f63f7230df9bf98448356

    SHA1

    fe9eb85b57192362da704a3c130377fe83862320

    SHA256

    a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f

    SHA512

    0e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp6987.tmp
    Filesize

    1KB

    MD5

    072541fbcc0f05e7e00afb8876087822

    SHA1

    0a1a6ad25a4a546520fe21bed23b4dd56f5ea7f5

    SHA256

    8a98b2e2084e096028123a79228bc1b11f12179aecfbe53759b3e0805f973116

    SHA512

    07074f512ee920a787af3d49d982795121051cc5cd1ce01d115aab63cd800fd58f2f57e73dafb96151e57ada9d2e407e370abc9c56d8ab604d118dad93c1412d

    Download Submit
  • memory/2996-130-0x0000000075400000-0x00000000759B1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4404-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4404-134-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4404-136-0x0000000075400000-0x00000000759B1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4460-131-0x0000000000000000-mapping.dmp
    Download