Analysis
-
max time kernel
156s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:39
Static task
static1
Behavioral task
behavioral1
Sample
Proposal catalog.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proposal catalog.exe
Resource
win10v2004-20220414-en
General
-
Target
Proposal catalog.exe
-
Size
703KB
-
MD5
0099266be4fb71dfc25be49fb34df81a
-
SHA1
3e8580f27bcdae7564f719110d8592a030c7c25e
-
SHA256
a1ec16ea0d0f8133dfb05368d5137b6e49d90039dddabe9bb46b3bbc5278fc26
-
SHA512
8f97a6ca5e9158d73b29da4845e64794e553637d383cf700a4b293d0b34b8b88140707707830cafdfaf3359a97fcfaac19caac420aeb34950fee07d3610ce486
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
gallery
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4404-134-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Proposal catalog.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Proposal catalog.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Proposal catalog.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moyJBo = "C:\\Users\\Admin\\AppData\\Roaming\\moyJBo\\moyJBo.exe" Proposal catalog.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proposal catalog.exedescription pid process target process PID 2996 set thread context of 4404 2996 Proposal catalog.exe Proposal catalog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Proposal catalog.exeProposal catalog.exepid process 2996 Proposal catalog.exe 2996 Proposal catalog.exe 2996 Proposal catalog.exe 2996 Proposal catalog.exe 2996 Proposal catalog.exe 2996 Proposal catalog.exe 4404 Proposal catalog.exe 4404 Proposal catalog.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Proposal catalog.exeProposal catalog.exedescription pid process Token: SeDebugPrivilege 2996 Proposal catalog.exe Token: SeDebugPrivilege 4404 Proposal catalog.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Proposal catalog.exedescription pid process target process PID 2996 wrote to memory of 4460 2996 Proposal catalog.exe schtasks.exe PID 2996 wrote to memory of 4460 2996 Proposal catalog.exe schtasks.exe PID 2996 wrote to memory of 4460 2996 Proposal catalog.exe schtasks.exe PID 2996 wrote to memory of 4404 2996 Proposal catalog.exe Proposal catalog.exe PID 2996 wrote to memory of 4404 2996 Proposal catalog.exe Proposal catalog.exe PID 2996 wrote to memory of 4404 2996 Proposal catalog.exe Proposal catalog.exe PID 2996 wrote to memory of 4404 2996 Proposal catalog.exe Proposal catalog.exe PID 2996 wrote to memory of 4404 2996 Proposal catalog.exe Proposal catalog.exe PID 2996 wrote to memory of 4404 2996 Proposal catalog.exe Proposal catalog.exe PID 2996 wrote to memory of 4404 2996 Proposal catalog.exe Proposal catalog.exe PID 2996 wrote to memory of 4404 2996 Proposal catalog.exe Proposal catalog.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proposal catalog.exe"C:\Users\Admin\AppData\Local\Temp\Proposal catalog.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6987.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Proposal catalog.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Proposal catalog.exe.logFilesize
496B
MD57baa6583f69f63f7230df9bf98448356
SHA1fe9eb85b57192362da704a3c130377fe83862320
SHA256a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f
SHA5120e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051
-
C:\Users\Admin\AppData\Local\Temp\tmp6987.tmpFilesize
1KB
MD5072541fbcc0f05e7e00afb8876087822
SHA10a1a6ad25a4a546520fe21bed23b4dd56f5ea7f5
SHA2568a98b2e2084e096028123a79228bc1b11f12179aecfbe53759b3e0805f973116
SHA51207074f512ee920a787af3d49d982795121051cc5cd1ce01d115aab63cd800fd58f2f57e73dafb96151e57ada9d2e407e370abc9c56d8ab604d118dad93c1412d
-
memory/2996-130-0x0000000075400000-0x00000000759B1000-memory.dmpFilesize
5.7MB
-
memory/4404-133-0x0000000000000000-mapping.dmp
-
memory/4404-134-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4404-136-0x0000000075400000-0x00000000759B1000-memory.dmpFilesize
5.7MB
-
memory/4460-131-0x0000000000000000-mapping.dmp