Analysis
-
max time kernel
149s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:58
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment Slip.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
Payment Slip.exe
-
Size
546KB
-
MD5
cb6aca6228059b7dbb2b89c5937e8e1f
-
SHA1
21e41b59c39476968c2259d7ce9089aa3a819a91
-
SHA256
cbf2153e97011d74d46c765fe0209f95d26671bd0f640322131f02895898e50a
-
SHA512
c28a59bfb238378cc4f32e087e3c866fba95ec97f6cd49c845b56e05e052df44eebc5cf4eae96aa1e453c7b5f853a215640faab03c59d389ab571a3b51c2282b
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.puntomesa.com - Port:
587 - Username:
[email protected] - Password:
}k}kebLYY75V
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1032-136-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Slip.exedescription pid process target process PID 3108 set thread context of 1032 3108 Payment Slip.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Payment Slip.exeRegSvcs.exepid process 3108 Payment Slip.exe 3108 Payment Slip.exe 3108 Payment Slip.exe 1032 RegSvcs.exe 1032 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Slip.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3108 Payment Slip.exe Token: SeDebugPrivilege 1032 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Payment Slip.exedescription pid process target process PID 3108 wrote to memory of 1032 3108 Payment Slip.exe RegSvcs.exe PID 3108 wrote to memory of 1032 3108 Payment Slip.exe RegSvcs.exe PID 3108 wrote to memory of 1032 3108 Payment Slip.exe RegSvcs.exe PID 3108 wrote to memory of 1032 3108 Payment Slip.exe RegSvcs.exe PID 3108 wrote to memory of 1032 3108 Payment Slip.exe RegSvcs.exe PID 3108 wrote to memory of 1032 3108 Payment Slip.exe RegSvcs.exe PID 3108 wrote to memory of 1032 3108 Payment Slip.exe RegSvcs.exe PID 3108 wrote to memory of 1032 3108 Payment Slip.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1032-135-0x0000000000000000-mapping.dmp
-
memory/1032-136-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1032-137-0x0000000005DC0000-0x0000000005E26000-memory.dmpFilesize
408KB
-
memory/1032-138-0x0000000006580000-0x00000000065D0000-memory.dmpFilesize
320KB
-
memory/3108-130-0x0000000000C00000-0x0000000000C8E000-memory.dmpFilesize
568KB
-
memory/3108-131-0x00000000080A0000-0x0000000008644000-memory.dmpFilesize
5.6MB
-
memory/3108-132-0x0000000007B90000-0x0000000007C22000-memory.dmpFilesize
584KB
-
memory/3108-133-0x0000000007B00000-0x0000000007B0A000-memory.dmpFilesize
40KB
-
memory/3108-134-0x000000000A060000-0x000000000A0FC000-memory.dmpFilesize
624KB