Analysis
-
max time kernel
72s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:31
General
-
Target
NPK 202020.exe
-
Size
816KB
-
MD5
94c64da42cec451a2bd9c6e30d366fa8
-
SHA1
ae5ad76d977bedfaa76632fa32d5678c212daa96
-
SHA256
40b64f01b9da5a5fdafaeae7226eb911ec29c6ecddd24aae32465f0c3b97fac5
-
SHA512
97754440f8ad88d4bc02e57f921461a62176825f615cffbc6ffd35c29404e4301a142e4e4399c835c370e47563c240205ca8985a8f1ef6de1df43dea19dcf86a
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload 1 IoCs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NPK 202020.exe"C:\Users\Admin\AppData\Local\Temp\NPK 202020.exe"1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YHtBDZyNICpYf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmpFilesize
1KB
MD5149c536cfb17a9f9a46bc43cf356d389
SHA18847c1ce17590b599138152a0f343c82f7a90f7b
SHA2569d0759530472929db93279e7ee7fa80ad6089d082c88ec4644e3003198f1d7a5
SHA51279205c8099a7177edf54f38a9ccde6c0a6cd7ecb8c9ef8942d494b6aaecf798dba1c873d8ab7556cb832fa44a4528cfd2a1375da76f7df1d81b24e9145441375
-
memory/684-54-0x00000000104C0000-0x0000000010590000-memory.dmpFilesize
832KB
-
memory/684-55-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/684-56-0x0000000000380000-0x0000000000388000-memory.dmpFilesize
32KB
-
memory/684-57-0x0000000001E30000-0x0000000001E86000-memory.dmpFilesize
344KB
-
memory/684-60-0x00000000020C0000-0x000000000210E000-memory.dmpFilesize
312KB
-
memory/1540-58-0x0000000000000000-mapping.dmp