Analysis
-
max time kernel
178s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:19
Static task
static1
Behavioral task
behavioral1
Sample
SOA APRIL.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SOA APRIL.exe
Resource
win10v2004-20220414-en
General
-
Target
SOA APRIL.exe
-
Size
443KB
-
MD5
b4918de9ccfdf564a629cea7e3b82195
-
SHA1
aab1d0e71ce72baffc39ce5f9fd3fc5aad0ec8d9
-
SHA256
c57c75b73874a793db4640a20bf8f89c57d8b95c9165a721e3a71f5693127c49
-
SHA512
f50ebdab2e8c5c2598ef52eae7a2c0d9f53900f0c26cf17cfd441051390d083a0881d1eb80eb713ef8d2e96633478d654219c07fd5178881919bf78801ed3d41
Malware Config
Extracted
Protocol: smtp- Host:
mail.tolipgoldenplaza.com - Port:
587 - Username:
[email protected] - Password:
Golden@#$2019
Extracted
agenttesla
Protocol: smtp- Host:
mail.tolipgoldenplaza.com - Port:
587 - Username:
[email protected] - Password:
Golden@#$2019
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2812-139-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
SOA APRIL.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts SOA APRIL.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SOA APRIL.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation SOA APRIL.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SOA APRIL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SOA APRIL.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SOA APRIL.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SOA APRIL.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA APRIL.exedescription pid process target process PID 4964 set thread context of 2812 4964 SOA APRIL.exe SOA APRIL.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SOA APRIL.exeSOA APRIL.exepid process 4964 SOA APRIL.exe 4964 SOA APRIL.exe 4964 SOA APRIL.exe 2812 SOA APRIL.exe 2812 SOA APRIL.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SOA APRIL.exeSOA APRIL.exedescription pid process Token: SeDebugPrivilege 4964 SOA APRIL.exe Token: SeDebugPrivilege 2812 SOA APRIL.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
SOA APRIL.exeSOA APRIL.exedescription pid process target process PID 4964 wrote to memory of 4520 4964 SOA APRIL.exe schtasks.exe PID 4964 wrote to memory of 4520 4964 SOA APRIL.exe schtasks.exe PID 4964 wrote to memory of 4520 4964 SOA APRIL.exe schtasks.exe PID 4964 wrote to memory of 5096 4964 SOA APRIL.exe SOA APRIL.exe PID 4964 wrote to memory of 5096 4964 SOA APRIL.exe SOA APRIL.exe PID 4964 wrote to memory of 5096 4964 SOA APRIL.exe SOA APRIL.exe PID 4964 wrote to memory of 2812 4964 SOA APRIL.exe SOA APRIL.exe PID 4964 wrote to memory of 2812 4964 SOA APRIL.exe SOA APRIL.exe PID 4964 wrote to memory of 2812 4964 SOA APRIL.exe SOA APRIL.exe PID 4964 wrote to memory of 2812 4964 SOA APRIL.exe SOA APRIL.exe PID 4964 wrote to memory of 2812 4964 SOA APRIL.exe SOA APRIL.exe PID 4964 wrote to memory of 2812 4964 SOA APRIL.exe SOA APRIL.exe PID 4964 wrote to memory of 2812 4964 SOA APRIL.exe SOA APRIL.exe PID 4964 wrote to memory of 2812 4964 SOA APRIL.exe SOA APRIL.exe PID 2812 wrote to memory of 3852 2812 SOA APRIL.exe REG.exe PID 2812 wrote to memory of 3852 2812 SOA APRIL.exe REG.exe PID 2812 wrote to memory of 3852 2812 SOA APRIL.exe REG.exe PID 2812 wrote to memory of 712 2812 SOA APRIL.exe netsh.exe PID 2812 wrote to memory of 712 2812 SOA APRIL.exe netsh.exe PID 2812 wrote to memory of 712 2812 SOA APRIL.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
SOA APRIL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SOA APRIL.exe -
outlook_win_path 1 IoCs
Processes:
SOA APRIL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SOA APRIL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA APRIL.exe"C:\Users\Admin\AppData\Local\Temp\SOA APRIL.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzcvEUFxw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp23A5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SOA APRIL.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SOA APRIL.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA APRIL.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmp23A5.tmpFilesize
1KB
MD53ca555a5d58ed6115d4d3295b6e05657
SHA1c3a9dc22d29e7d14b28520acd2ba9da70773d528
SHA2569e76f7852bf961eb6f3f6d6582d5b961589477f1a685f181ec5534c7b339bf47
SHA512b4149cb7520cb256e68168b3d6be9dec319c90a7eca991087c579e66ed53f47283b6323d8cc58a11cf9b852777a968e26394f4a14cf8ccb8be878fcf0c6aa306
-
memory/712-144-0x0000000000000000-mapping.dmp
-
memory/2812-139-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2812-138-0x0000000000000000-mapping.dmp
-
memory/2812-141-0x0000000005BF0000-0x0000000005C56000-memory.dmpFilesize
408KB
-
memory/2812-143-0x00000000067D0000-0x0000000006820000-memory.dmpFilesize
320KB
-
memory/3852-142-0x0000000000000000-mapping.dmp
-
memory/4520-135-0x0000000000000000-mapping.dmp
-
memory/4964-134-0x000000000AB00000-0x000000000AB9C000-memory.dmpFilesize
624KB
-
memory/4964-133-0x00000000070C0000-0x00000000070CA000-memory.dmpFilesize
40KB
-
memory/4964-130-0x0000000000120000-0x0000000000196000-memory.dmpFilesize
472KB
-
memory/4964-132-0x0000000007020000-0x00000000070B2000-memory.dmpFilesize
584KB
-
memory/4964-131-0x00000000075D0000-0x0000000007B74000-memory.dmpFilesize
5.6MB
-
memory/5096-137-0x0000000000000000-mapping.dmp