Analysis
-
max time kernel
90s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:14
Static task
static1
Behavioral task
behavioral1
Sample
IMG 24344 NEW ORDER_PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
IMG 24344 NEW ORDER_PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
IMG 24344 NEW ORDER_PDF.exe
-
Size
522KB
-
MD5
738cc68cbed4ce5180c71952b86acbfe
-
SHA1
1690297c53df2847bef42b5bef74c2afab4204eb
-
SHA256
64f1939cbe2828095ccb96973565bebe5a2cbf3baf78aaadd2492eb654415264
-
SHA512
4951c829a08aa07619bda202a4a5e48d3f3d16f33806e1c92b7e66c3488243f13817875ef4c9fd9bdd13bbed068824afa54154351208ba00c056604952f45368
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.candenizcilik.com - Port:
587 - Username:
[email protected] - Password:
519025
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/892-134-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
IMG 24344 NEW ORDER_PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IMG 24344 NEW ORDER_PDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IMG 24344 NEW ORDER_PDF.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
IMG 24344 NEW ORDER_PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation IMG 24344 NEW ORDER_PDF.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
IMG 24344 NEW ORDER_PDF.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum IMG 24344 NEW ORDER_PDF.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 IMG 24344 NEW ORDER_PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
IMG 24344 NEW ORDER_PDF.exedescription pid process target process PID 4384 set thread context of 892 4384 IMG 24344 NEW ORDER_PDF.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 892 RegSvcs.exe 892 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 892 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 892 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
IMG 24344 NEW ORDER_PDF.exeRegSvcs.exedescription pid process target process PID 4384 wrote to memory of 1424 4384 IMG 24344 NEW ORDER_PDF.exe schtasks.exe PID 4384 wrote to memory of 1424 4384 IMG 24344 NEW ORDER_PDF.exe schtasks.exe PID 4384 wrote to memory of 1424 4384 IMG 24344 NEW ORDER_PDF.exe schtasks.exe PID 4384 wrote to memory of 892 4384 IMG 24344 NEW ORDER_PDF.exe RegSvcs.exe PID 4384 wrote to memory of 892 4384 IMG 24344 NEW ORDER_PDF.exe RegSvcs.exe PID 4384 wrote to memory of 892 4384 IMG 24344 NEW ORDER_PDF.exe RegSvcs.exe PID 4384 wrote to memory of 892 4384 IMG 24344 NEW ORDER_PDF.exe RegSvcs.exe PID 4384 wrote to memory of 892 4384 IMG 24344 NEW ORDER_PDF.exe RegSvcs.exe PID 4384 wrote to memory of 892 4384 IMG 24344 NEW ORDER_PDF.exe RegSvcs.exe PID 4384 wrote to memory of 892 4384 IMG 24344 NEW ORDER_PDF.exe RegSvcs.exe PID 4384 wrote to memory of 892 4384 IMG 24344 NEW ORDER_PDF.exe RegSvcs.exe PID 892 wrote to memory of 4588 892 RegSvcs.exe netsh.exe PID 892 wrote to memory of 4588 892 RegSvcs.exe netsh.exe PID 892 wrote to memory of 4588 892 RegSvcs.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG 24344 NEW ORDER_PDF.exe"C:\Users\Admin\AppData\Local\Temp\IMG 24344 NEW ORDER_PDF.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oIRXsmtHo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC0C4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC0C4.tmpFilesize
1KB
MD5d9bc3232e16f0f050e91df787187f4b9
SHA10055e5d6cb208ee3cd7b938876a4ef858cad9a4c
SHA25612bd2bb312abffc308eb423fd27d63419b30eb3dc66aeaae857e5d09324a4549
SHA5122def97a2cdaf39bbcf6db441006ae45510acd83115e2ff5386868bbf60ca61d553c7f1cb60f0bd95492455c09791ae7172a9a25768b47f82815090128ccbc4fb
-
memory/892-133-0x0000000000000000-mapping.dmp
-
memory/892-134-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/892-135-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/1424-131-0x0000000000000000-mapping.dmp
-
memory/4384-130-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/4588-136-0x0000000000000000-mapping.dmp