Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:32
Static task
static1
Behavioral task
behavioral1
Sample
PROFILE.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PROFILE.exe
Resource
win10v2004-20220414-en
General
-
Target
PROFILE.exe
-
Size
453KB
-
MD5
0730a8b1cadc7b07bd0a7fbe57437939
-
SHA1
424eea095b6b46cc0d3d6812b85230308b672ce7
-
SHA256
ceb7dc735aad69ceaa69d7353b2364bbaf2ccd69176707bdc0d7c38f27e326b4
-
SHA512
563f6e6e58938730f68af98b0fdc7e7f079ff85222a4db9270bbc5ddf2a4f6ae607fdd271048443b0d9c5a48ba5c53e0928d515437a10d715a7d7deef9b98bec
Malware Config
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
OneDay@time
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
OneDay@time
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/32-140-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PROFILE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation PROFILE.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PROFILE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PROFILE.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PROFILE.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PROFILE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFILE.exedescription pid process target process PID 1672 set thread context of 32 1672 PROFILE.exe PROFILE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PROFILE.exePROFILE.exepid process 1672 PROFILE.exe 32 PROFILE.exe 32 PROFILE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PROFILE.exePROFILE.exedescription pid process Token: SeDebugPrivilege 1672 PROFILE.exe Token: SeDebugPrivilege 32 PROFILE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PROFILE.exepid process 32 PROFILE.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PROFILE.exedescription pid process target process PID 1672 wrote to memory of 4252 1672 PROFILE.exe schtasks.exe PID 1672 wrote to memory of 4252 1672 PROFILE.exe schtasks.exe PID 1672 wrote to memory of 4252 1672 PROFILE.exe schtasks.exe PID 1672 wrote to memory of 32 1672 PROFILE.exe PROFILE.exe PID 1672 wrote to memory of 32 1672 PROFILE.exe PROFILE.exe PID 1672 wrote to memory of 32 1672 PROFILE.exe PROFILE.exe PID 1672 wrote to memory of 32 1672 PROFILE.exe PROFILE.exe PID 1672 wrote to memory of 32 1672 PROFILE.exe PROFILE.exe PID 1672 wrote to memory of 32 1672 PROFILE.exe PROFILE.exe PID 1672 wrote to memory of 32 1672 PROFILE.exe PROFILE.exe PID 1672 wrote to memory of 32 1672 PROFILE.exe PROFILE.exe -
outlook_office_path 1 IoCs
Processes:
PROFILE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PROFILE.exe -
outlook_win_path 1 IoCs
Processes:
PROFILE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PROFILE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RLgpeSlz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5498.tmp"2⤵
- Creates scheduled task(s)
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:32
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5498.tmpFilesize
1KB
MD5c520cbe7bf0fc0c0056ed392c04d3650
SHA1b6b86db58738ed095c21f005b24363a56f16397d
SHA2561da0a7d8061c27a85195e382365b3c006c48c24cde018b7d4c9cbb05b0f44d5f
SHA5127d9f08ebb17a9156d446dfbebe2665de28cceb2b993f6299a28bfa16bc44810612d6c19a24cb06ca73e21ba738f2cb80c410ec76b716474cfda0cfdd8ef34d16
-
memory/32-142-0x0000000006910000-0x0000000006960000-memory.dmpFilesize
320KB
-
memory/32-141-0x0000000006310000-0x0000000006376000-memory.dmpFilesize
408KB
-
memory/32-140-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/32-139-0x0000000000000000-mapping.dmp
-
memory/1672-133-0x00000000058C0000-0x00000000058CA000-memory.dmpFilesize
40KB
-
memory/1672-136-0x0000000009450000-0x00000000094EC000-memory.dmpFilesize
624KB
-
memory/1672-135-0x0000000006470000-0x0000000006492000-memory.dmpFilesize
136KB
-
memory/1672-134-0x00000000059F0000-0x0000000005A02000-memory.dmpFilesize
72KB
-
memory/1672-130-0x0000000000E90000-0x0000000000F08000-memory.dmpFilesize
480KB
-
memory/1672-132-0x00000000058E0000-0x0000000005972000-memory.dmpFilesize
584KB
-
memory/1672-131-0x0000000005E90000-0x0000000006434000-memory.dmpFilesize
5.6MB
-
memory/4252-137-0x0000000000000000-mapping.dmp