Analysis
-
max time kernel
109s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:34
Static task
static1
Behavioral task
behavioral1
Sample
Payment_Copy.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment_Copy.PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment_Copy.PDF.exe
-
Size
603KB
-
MD5
6f4ff4d406d6917c9261333ed9bbc58c
-
SHA1
9ab4630d7a4323ab119535990b008130890d178c
-
SHA256
190be18ceb220a947bf797e07e27b41987d707f00ce1774e05998a6682482f43
-
SHA512
7a388d5f6fd968fac1cd31f4c48b7eaa140986bab705c1694c2390072eda4995095ee2ead609c4e995a92c3913c6a3eb22205db80998ab12b8dfb9c6a22afd12
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
killdemall007
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1360-59-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1360-60-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1360-61-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1360-62-0x000000000044CC9E-mapping.dmp family_agenttesla behavioral1/memory/1360-64-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1360-66-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment_Copy.PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment_Copy.PDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment_Copy.PDF.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payment_Copy.PDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment_Copy.PDF.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment_Copy.PDF.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment_Copy.PDF.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Payment_Copy.PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Payment_Copy.PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Payment_Copy.PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment_Copy.PDF.exedescription pid process target process PID 1880 set thread context of 1360 1880 Payment_Copy.PDF.exe Payment_Copy.PDF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment_Copy.PDF.exepid process 1360 Payment_Copy.PDF.exe 1360 Payment_Copy.PDF.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Payment_Copy.PDF.exepid process 1360 Payment_Copy.PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment_Copy.PDF.exePayment_Copy.PDF.exedescription pid process Token: SeDebugPrivilege 1880 Payment_Copy.PDF.exe Token: SeDebugPrivilege 1360 Payment_Copy.PDF.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Payment_Copy.PDF.exePayment_Copy.PDF.exedescription pid process target process PID 1880 wrote to memory of 1360 1880 Payment_Copy.PDF.exe Payment_Copy.PDF.exe PID 1880 wrote to memory of 1360 1880 Payment_Copy.PDF.exe Payment_Copy.PDF.exe PID 1880 wrote to memory of 1360 1880 Payment_Copy.PDF.exe Payment_Copy.PDF.exe PID 1880 wrote to memory of 1360 1880 Payment_Copy.PDF.exe Payment_Copy.PDF.exe PID 1880 wrote to memory of 1360 1880 Payment_Copy.PDF.exe Payment_Copy.PDF.exe PID 1880 wrote to memory of 1360 1880 Payment_Copy.PDF.exe Payment_Copy.PDF.exe PID 1880 wrote to memory of 1360 1880 Payment_Copy.PDF.exe Payment_Copy.PDF.exe PID 1880 wrote to memory of 1360 1880 Payment_Copy.PDF.exe Payment_Copy.PDF.exe PID 1880 wrote to memory of 1360 1880 Payment_Copy.PDF.exe Payment_Copy.PDF.exe PID 1360 wrote to memory of 816 1360 Payment_Copy.PDF.exe netsh.exe PID 1360 wrote to memory of 816 1360 Payment_Copy.PDF.exe netsh.exe PID 1360 wrote to memory of 816 1360 Payment_Copy.PDF.exe netsh.exe PID 1360 wrote to memory of 816 1360 Payment_Copy.PDF.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Payment_Copy.PDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment_Copy.PDF.exe -
outlook_win_path 1 IoCs
Processes:
Payment_Copy.PDF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment_Copy.PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment_Copy.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Copy.PDF.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment_Copy.PDF.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/816-69-0x0000000000000000-mapping.dmp
-
memory/1360-56-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1360-57-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1360-59-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1360-60-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1360-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1360-62-0x000000000044CC9E-mapping.dmp
-
memory/1360-64-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1360-66-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1360-68-0x0000000074390000-0x000000007493B000-memory.dmpFilesize
5.7MB
-
memory/1880-54-0x0000000075311000-0x0000000075313000-memory.dmpFilesize
8KB
-
memory/1880-55-0x0000000074390000-0x000000007493B000-memory.dmpFilesize
5.7MB