Analysis
-
max time kernel
173s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:56
Static task
static1
Behavioral task
behavioral1
Sample
P.O 20A00827.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
P.O 20A00827.exe
Resource
win10v2004-20220414-en
General
-
Target
P.O 20A00827.exe
-
Size
523KB
-
MD5
899fba96547d14cf0100b57a6cf8f9fd
-
SHA1
1b512803f901a907d2a19e644c943fe8af09a80d
-
SHA256
a1021556aef2e3dad9d256ffd84999019982f77bea0e32e7428a18f666fd7d12
-
SHA512
195069e2a36045167c53d541bee660385f1e73b30ced9b1d9b216823b8e2155352b31d426f304ae15916fca0818df52f8fb984634f4820a94a880fb9cea17b1f
Malware Config
Extracted
Protocol: smtp- Host:
r112ds144.redewt.net - Port:
587 - Username:
[email protected] - Password:
Inbiz@facturacao_1357
Extracted
agenttesla
Protocol: smtp- Host:
r112ds144.redewt.net - Port:
587 - Username:
[email protected] - Password:
Inbiz@facturacao_1357
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2960-134-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
P.O 20A00827.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion P.O 20A00827.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion P.O 20A00827.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
P.O 20A00827.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation P.O 20A00827.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
P.O 20A00827.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 P.O 20A00827.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 P.O 20A00827.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 P.O 20A00827.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
P.O 20A00827.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cYuJyc = "C:\\Users\\Admin\\AppData\\Roaming\\cYuJyc\\cYuJyc.exe" P.O 20A00827.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
P.O 20A00827.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum P.O 20A00827.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 P.O 20A00827.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
P.O 20A00827.exedescription pid process target process PID 2360 set thread context of 2960 2360 P.O 20A00827.exe P.O 20A00827.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
P.O 20A00827.exepid process 2960 P.O 20A00827.exe 2960 P.O 20A00827.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
P.O 20A00827.exedescription pid process Token: SeDebugPrivilege 2960 P.O 20A00827.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
P.O 20A00827.exepid process 2960 P.O 20A00827.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
P.O 20A00827.exeP.O 20A00827.exedescription pid process target process PID 2360 wrote to memory of 3500 2360 P.O 20A00827.exe schtasks.exe PID 2360 wrote to memory of 3500 2360 P.O 20A00827.exe schtasks.exe PID 2360 wrote to memory of 3500 2360 P.O 20A00827.exe schtasks.exe PID 2360 wrote to memory of 2960 2360 P.O 20A00827.exe P.O 20A00827.exe PID 2360 wrote to memory of 2960 2360 P.O 20A00827.exe P.O 20A00827.exe PID 2360 wrote to memory of 2960 2360 P.O 20A00827.exe P.O 20A00827.exe PID 2360 wrote to memory of 2960 2360 P.O 20A00827.exe P.O 20A00827.exe PID 2360 wrote to memory of 2960 2360 P.O 20A00827.exe P.O 20A00827.exe PID 2360 wrote to memory of 2960 2360 P.O 20A00827.exe P.O 20A00827.exe PID 2360 wrote to memory of 2960 2360 P.O 20A00827.exe P.O 20A00827.exe PID 2360 wrote to memory of 2960 2360 P.O 20A00827.exe P.O 20A00827.exe PID 2960 wrote to memory of 1816 2960 P.O 20A00827.exe netsh.exe PID 2960 wrote to memory of 1816 2960 P.O 20A00827.exe netsh.exe PID 2960 wrote to memory of 1816 2960 P.O 20A00827.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
P.O 20A00827.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 P.O 20A00827.exe -
outlook_win_path 1 IoCs
Processes:
P.O 20A00827.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 P.O 20A00827.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\P.O 20A00827.exe"C:\Users\Admin\AppData\Local\Temp\P.O 20A00827.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wFFmHtnBJtQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4882.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\P.O 20A00827.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\P.O 20A00827.exe.logFilesize
588B
MD549461f799113a05a28d6b992090c22ce
SHA14049a26ca32ff9ed84fd748b75b36b73e17510ce
SHA256efa0ab0bd196baf69522d0e11a8bb384a1f0e1806590db7b6ed34abcf6faf5c3
SHA512dffd0fc9f13c5821f9a55bbfb0e1cb980b29903228805fda0331de68ef1ecfa7e716ebcb50c1a2429e5373f6c9e31977472e04769adf9feac8c7fe10f1814bc5
-
C:\Users\Admin\AppData\Local\Temp\tmp4882.tmpFilesize
1KB
MD5a07a316dc37ffbb0925f158e36e8677a
SHA11fe1a9fabf74eb694d8876d4d5710c2373185a4d
SHA2561a04228b0d258e6bcae9d051b05b9561be1ee3e4fca107e2d0253d23300e172c
SHA512f9f82ec1f7b9e3d20e0ccaabb17c8cca15a51bef2bf31a91879506287c152d7b8744151e663a8d4bcdf4ee66f5eef27b96aa2ff12798fbcb1c2b67675c3d02af
-
memory/1816-137-0x0000000000000000-mapping.dmp
-
memory/2360-130-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB
-
memory/2960-133-0x0000000000000000-mapping.dmp
-
memory/2960-134-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2960-136-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB
-
memory/3500-131-0x0000000000000000-mapping.dmp