Analysis
-
max time kernel
69s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:12
Static task
static1
Behavioral task
behavioral1
Sample
payroll.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
payroll.exe
Resource
win10v2004-20220414-en
General
-
Target
payroll.exe
-
Size
703KB
-
MD5
5d92e59673df06713a2a37f7a4fbdafc
-
SHA1
c188318d7a1e6367317c5c541145241ca1afe6f9
-
SHA256
2b80556f6cd49c291e54b1f0d7d3f15664958412ea6d2c36273e356de9081966
-
SHA512
54a638bc3bb6ba6ca40a0e73e75335a2be24c3e03de293b08ce1891d617e1f123cf09ac7ea6df682ce668b47f6503fc0c882c57171b45302f1114f5c9348f55b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Logmein1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-58-0x0000000000380000-0x00000000003D2000-memory.dmp family_agenttesla behavioral1/memory/2028-57-0x0000000000380000-0x00000000003D2000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
payroll.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payroll.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payroll.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payroll.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payroll.exedescription pid process target process PID 1904 set thread context of 2028 1904 payroll.exe payroll.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
payroll.exepayroll.exepid process 1904 payroll.exe 2028 payroll.exe 2028 payroll.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
payroll.exepid process 1904 payroll.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
payroll.exedescription pid process Token: SeDebugPrivilege 2028 payroll.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
payroll.exepayroll.exedescription pid process target process PID 1904 wrote to memory of 2028 1904 payroll.exe payroll.exe PID 1904 wrote to memory of 2028 1904 payroll.exe payroll.exe PID 1904 wrote to memory of 2028 1904 payroll.exe payroll.exe PID 1904 wrote to memory of 2028 1904 payroll.exe payroll.exe PID 2028 wrote to memory of 432 2028 payroll.exe netsh.exe PID 2028 wrote to memory of 432 2028 payroll.exe netsh.exe PID 2028 wrote to memory of 432 2028 payroll.exe netsh.exe PID 2028 wrote to memory of 432 2028 payroll.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
payroll.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payroll.exe -
outlook_win_path 1 IoCs
Processes:
payroll.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payroll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payroll.exe"C:\Users\Admin\AppData\Local\Temp\payroll.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\payroll.exe"C:\Users\Admin\AppData\Local\Temp\payroll.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2028 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/432-61-0x0000000000000000-mapping.dmp
-
memory/1904-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1904-56-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/2028-55-0x00000000004AE140-mapping.dmp
-
memory/2028-58-0x0000000000380000-0x00000000003D2000-memory.dmpFilesize
328KB
-
memory/2028-57-0x0000000000380000-0x00000000003D2000-memory.dmpFilesize
328KB
-
memory/2028-60-0x0000000074950000-0x0000000074EFB000-memory.dmpFilesize
5.7MB