Analysis
-
max time kernel
185s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:33
Static task
static1
Behavioral task
behavioral1
Sample
RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
-
Size
603KB
-
MD5
23f551a5ac8ec744ece3dabee871cd30
-
SHA1
97227666e1b88f7f6e2d88e6d53c832edf6f52cb
-
SHA256
3ac8a6bb8e3551f1889bcdbe567d78c4d1afd90f91904d5bbaffc6879abbb37a
-
SHA512
0f53a4efdc1159a96e177e288b0a7ca58bd4acd3ade45a5720d4633f514f824a42bba761859fd6a7c6f0da51f32c493fb7b1bf73526d28bf4574858d5bc4e25e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.specialmetal.ir - Port:
587 - Username:
[email protected] - Password:
02188985257
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3244-139-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WEqfDb = "C:\\Users\\Admin\\AppData\\Roaming\\WEqfDb\\WEqfDb.exe" RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exedescription pid process target process PID 4504 set thread context of 3244 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exeRFQ ICT-200068-MKE-AL ESTISHARI_pdf.exepid process 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe 3244 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe 3244 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exeRFQ ICT-200068-MKE-AL ESTISHARI_pdf.exedescription pid process Token: SeDebugPrivilege 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe Token: SeDebugPrivilege 3244 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exedescription pid process target process PID 4504 wrote to memory of 3596 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe schtasks.exe PID 4504 wrote to memory of 3596 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe schtasks.exe PID 4504 wrote to memory of 3596 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe schtasks.exe PID 4504 wrote to memory of 3244 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe PID 4504 wrote to memory of 3244 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe PID 4504 wrote to memory of 3244 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe PID 4504 wrote to memory of 3244 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe PID 4504 wrote to memory of 3244 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe PID 4504 wrote to memory of 3244 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe PID 4504 wrote to memory of 3244 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe PID 4504 wrote to memory of 3244 4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FhDgCxwjwYe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp123B.tmp"2⤵
- Creates scheduled task(s)
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp123B.tmpFilesize
1KB
MD527afbf000d983f86e4b3e0eddcf14f27
SHA1b1d4704ecd01bd5b9e05ac7ba873e3f10b92c913
SHA25665a95237d217cf1c830f1af6437bca3a3602482b9c8f6122ac742f237b734d16
SHA51246f59df97b6a995b3d5377452edba1f8cd3fcd1eaff4b65914c1b0c64c1ef822bc00ba08d40f57707cbbdc6039b4ef71d224fb2283e679afec92699d767f8666
-
memory/3244-138-0x0000000000000000-mapping.dmp
-
memory/3244-139-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3244-140-0x0000000005BC0000-0x0000000005C26000-memory.dmpFilesize
408KB
-
memory/3596-136-0x0000000000000000-mapping.dmp
-
memory/4504-130-0x0000000000E80000-0x0000000000F1E000-memory.dmpFilesize
632KB
-
memory/4504-131-0x00000000058B0000-0x000000000594C000-memory.dmpFilesize
624KB
-
memory/4504-132-0x0000000005F00000-0x00000000064A4000-memory.dmpFilesize
5.6MB
-
memory/4504-133-0x00000000059F0000-0x0000000005A82000-memory.dmpFilesize
584KB
-
memory/4504-134-0x0000000005950000-0x000000000595A000-memory.dmpFilesize
40KB
-
memory/4504-135-0x0000000005A90000-0x0000000005AE6000-memory.dmpFilesize
344KB