Analysis
-
max time kernel
158s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:07
Static task
static1
Behavioral task
behavioral1
Sample
Letter.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Letter.exe
Resource
win10v2004-20220414-en
General
-
Target
Letter.exe
-
Size
581KB
-
MD5
6b1a709c8884accc0ba410ef9413a04c
-
SHA1
bb80dad1518cd8d7bb912b74bcf01c927b45394a
-
SHA256
439ed702b9700b4bd7ec8877db8d90820176cd183cb888c8be9b14267d3581cc
-
SHA512
309ef31c93845a36060bd4b69a3d7cfc79bebb518530371846165a49c7dc74069777c09067d3406ee2cb3de94494c8ff31b8ffdeb54f0cd4c6088b6cd6fc16c7
Malware Config
Extracted
Protocol: smtp- Host:
mail.gayaceramic.com - Port:
587 - Username:
[email protected] - Password:
2019gaya
Extracted
agenttesla
Protocol: smtp- Host:
mail.gayaceramic.com - Port:
587 - Username:
[email protected] - Password:
2019gaya
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2484-140-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Letter.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Letter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Letter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Letter.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Letter.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Letter.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Letter.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Letter.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Letter.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Letter.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Letter.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Letter.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Letter.exedescription pid process target process PID 3568 set thread context of 2484 3568 Letter.exe Letter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Letter.exeLetter.exepid process 3568 Letter.exe 2484 Letter.exe 2484 Letter.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Letter.exeLetter.exedescription pid process Token: SeDebugPrivilege 3568 Letter.exe Token: SeDebugPrivilege 2484 Letter.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Letter.exedescription pid process target process PID 3568 wrote to memory of 3616 3568 Letter.exe schtasks.exe PID 3568 wrote to memory of 3616 3568 Letter.exe schtasks.exe PID 3568 wrote to memory of 3616 3568 Letter.exe schtasks.exe PID 3568 wrote to memory of 2484 3568 Letter.exe Letter.exe PID 3568 wrote to memory of 2484 3568 Letter.exe Letter.exe PID 3568 wrote to memory of 2484 3568 Letter.exe Letter.exe PID 3568 wrote to memory of 2484 3568 Letter.exe Letter.exe PID 3568 wrote to memory of 2484 3568 Letter.exe Letter.exe PID 3568 wrote to memory of 2484 3568 Letter.exe Letter.exe PID 3568 wrote to memory of 2484 3568 Letter.exe Letter.exe PID 3568 wrote to memory of 2484 3568 Letter.exe Letter.exe -
outlook_office_path 1 IoCs
Processes:
Letter.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Letter.exe -
outlook_win_path 1 IoCs
Processes:
Letter.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Letter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Letter.exe"C:\Users\Admin\AppData\Local\Temp\Letter.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hWFpUZAPSDgj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA817.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Letter.exe"C:\Users\Admin\AppData\Local\Temp\Letter.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA817.tmpFilesize
1KB
MD5b728c23aa5f5218112b49e259c039783
SHA170f2afe4c06cbab433c0217e5f54cdfe38b44a33
SHA256cba3b96c31d64dfc58dd8cd5a4edb1817c91acbed471ae4f2d52605e4fda6760
SHA5122af7e76cb8ed843ed3fde909c4bad7c0c06fc46a013cb29675d7dbf9533f7e9a4d453a596234ea2d76c369be4cf0f40c8a1d89988968b422db023fe89ab3e649
-
memory/2484-139-0x0000000000000000-mapping.dmp
-
memory/2484-140-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2484-141-0x0000000006C90000-0x0000000006CE0000-memory.dmpFilesize
320KB
-
memory/3568-130-0x0000000000D10000-0x0000000000DA8000-memory.dmpFilesize
608KB
-
memory/3568-131-0x00000000056F0000-0x000000000578C000-memory.dmpFilesize
624KB
-
memory/3568-132-0x0000000005D40000-0x00000000062E4000-memory.dmpFilesize
5.6MB
-
memory/3568-133-0x0000000005830000-0x00000000058C2000-memory.dmpFilesize
584KB
-
memory/3568-134-0x00000000057F0000-0x00000000057FA000-memory.dmpFilesize
40KB
-
memory/3568-135-0x0000000005A40000-0x0000000005A96000-memory.dmpFilesize
344KB
-
memory/3568-136-0x0000000009700000-0x0000000009766000-memory.dmpFilesize
408KB
-
memory/3616-137-0x0000000000000000-mapping.dmp