Analysis
-
max time kernel
152s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:00
Static task
static1
Behavioral task
behavioral1
Sample
citat.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
citat.exe
Resource
win10v2004-20220414-en
General
-
Target
citat.exe
-
Size
424KB
-
MD5
e9567d62f6cbad2e5c23cc82f5f62377
-
SHA1
68803124332bf57b6f6a7cc9fad33d6feee8a48a
-
SHA256
fd26229099bd979d8cedf9b694ea9417a0b82dda9f17b218a1dd445015c47277
-
SHA512
2a87593eac99c22e35459ab6651d022b7530a60bca5ea130a3bf4faf3c60b306b8a64b469da6e137c45a5dd2d9dad6d0787c5caa59ebcc6d279aa15caec70139
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
SENEGAL12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1904-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1904-64-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1904-65-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1904-66-0x0000000000446D2E-mapping.dmp family_agenttesla behavioral1/memory/1904-70-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1904-68-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
citat.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion citat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion citat.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
citat.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 citat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum citat.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
citat.exedescription pid process target process PID 1480 set thread context of 1904 1480 citat.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1904 RegSvcs.exe 1904 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1904 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
citat.exedescription pid process target process PID 1480 wrote to memory of 1968 1480 citat.exe schtasks.exe PID 1480 wrote to memory of 1968 1480 citat.exe schtasks.exe PID 1480 wrote to memory of 1968 1480 citat.exe schtasks.exe PID 1480 wrote to memory of 1968 1480 citat.exe schtasks.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe PID 1480 wrote to memory of 1904 1480 citat.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\citat.exe"C:\Users\Admin\AppData\Local\Temp\citat.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqYhveSI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmpFilesize
1KB
MD553a1214a908aca082dc6dbf5f825b864
SHA15db654bfbe32a851ad714a5df3d696afe45ddb5f
SHA2563ca1814014a6c4563332d9feb941cf96fd5acab027df7a0fda4c95c4510dae0b
SHA51224b0f68c9366a79d2862370bed8a442b77ee0584a3d9d18e6e1bad8d857002551126d7a66d038478ffc066a289b5b07abe5effc8daaff7e9830d1faf1ff37057
-
memory/1480-55-0x0000000075871000-0x0000000075873000-memory.dmpFilesize
8KB
-
memory/1480-56-0x00000000003F0000-0x000000000040C000-memory.dmpFilesize
112KB
-
memory/1480-57-0x00000000007B0000-0x0000000000804000-memory.dmpFilesize
336KB
-
memory/1480-54-0x0000000000340000-0x00000000003B0000-memory.dmpFilesize
448KB
-
memory/1904-60-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1904-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1904-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1904-64-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1904-65-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1904-66-0x0000000000446D2E-mapping.dmp
-
memory/1904-70-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1904-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1968-58-0x0000000000000000-mapping.dmp