Analysis
-
max time kernel
149s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:51
Static task
static1
Behavioral task
behavioral1
Sample
NEFT Payment Receipt.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEFT Payment Receipt.exe
Resource
win10v2004-20220414-en
General
-
Target
NEFT Payment Receipt.exe
-
Size
522KB
-
MD5
db56d94b3df3bead6e010931aa0d379d
-
SHA1
9a52da05adad71adf8ce20cf12110f8ed45dc55f
-
SHA256
590d32924480f6d5306978feb7fea108eebfea73a42f50f7e06ddd7dd6db9269
-
SHA512
4ffdc06cb0a93d7893c15a9422185955db29b0eea480cfde5a134e7c51568a67d648896da01b4cf2d651bfc7c393a6506a61d070cabc096e31dfb81da4433cf9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pro-powersourcing.com - Port:
587 - Username:
[email protected] - Password:
china1977
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3012-138-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEFT Payment Receipt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation NEFT Payment Receipt.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEFT Payment Receipt.exedescription pid process target process PID 3676 set thread context of 3012 3676 NEFT Payment Receipt.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3204 3012 WerFault.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
NEFT Payment Receipt.exeRegSvcs.exepid process 3676 NEFT Payment Receipt.exe 3012 RegSvcs.exe 3012 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEFT Payment Receipt.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3676 NEFT Payment Receipt.exe Token: SeDebugPrivilege 3012 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
NEFT Payment Receipt.exeRegSvcs.exedescription pid process target process PID 3676 wrote to memory of 4980 3676 NEFT Payment Receipt.exe schtasks.exe PID 3676 wrote to memory of 4980 3676 NEFT Payment Receipt.exe schtasks.exe PID 3676 wrote to memory of 4980 3676 NEFT Payment Receipt.exe schtasks.exe PID 3676 wrote to memory of 3012 3676 NEFT Payment Receipt.exe RegSvcs.exe PID 3676 wrote to memory of 3012 3676 NEFT Payment Receipt.exe RegSvcs.exe PID 3676 wrote to memory of 3012 3676 NEFT Payment Receipt.exe RegSvcs.exe PID 3676 wrote to memory of 3012 3676 NEFT Payment Receipt.exe RegSvcs.exe PID 3676 wrote to memory of 3012 3676 NEFT Payment Receipt.exe RegSvcs.exe PID 3676 wrote to memory of 3012 3676 NEFT Payment Receipt.exe RegSvcs.exe PID 3676 wrote to memory of 3012 3676 NEFT Payment Receipt.exe RegSvcs.exe PID 3676 wrote to memory of 3012 3676 NEFT Payment Receipt.exe RegSvcs.exe PID 3012 wrote to memory of 3448 3012 RegSvcs.exe REG.exe PID 3012 wrote to memory of 3448 3012 RegSvcs.exe REG.exe PID 3012 wrote to memory of 3448 3012 RegSvcs.exe REG.exe PID 3012 wrote to memory of 2848 3012 RegSvcs.exe netsh.exe PID 3012 wrote to memory of 2848 3012 RegSvcs.exe netsh.exe PID 3012 wrote to memory of 2848 3012 RegSvcs.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEFT Payment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\NEFT Payment Receipt.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXiktUDlm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3057.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 16363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3012 -ip 30121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3057.tmpFilesize
1KB
MD5240c5d1b885721b2b8e27b8b7c414e5d
SHA1fe46054d255a70a70db72abe6065ab47d1672ef7
SHA2566ba76879fc38611196e67e74c294a01a2faf35ec40538a17d255504e4bf0d607
SHA512e776dc411f098be3195b538780f0216adf832997852a68a95102d31ef5555459fd96b19f634ed52e71e60601399e281c20cbb95f6bfe9edcef10167daecb1ef2
-
memory/2848-141-0x0000000000000000-mapping.dmp
-
memory/3012-139-0x0000000006300000-0x0000000006366000-memory.dmpFilesize
408KB
-
memory/3012-137-0x0000000000000000-mapping.dmp
-
memory/3012-138-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3012-142-0x0000000006B40000-0x0000000006B90000-memory.dmpFilesize
320KB
-
memory/3448-140-0x0000000000000000-mapping.dmp
-
memory/3676-133-0x00000000051F0000-0x00000000051FA000-memory.dmpFilesize
40KB
-
memory/3676-134-0x0000000007750000-0x00000000077EC000-memory.dmpFilesize
624KB
-
memory/3676-132-0x0000000005210000-0x00000000052A2000-memory.dmpFilesize
584KB
-
memory/3676-130-0x0000000000900000-0x000000000098A000-memory.dmpFilesize
552KB
-
memory/3676-131-0x0000000005720000-0x0000000005CC4000-memory.dmpFilesize
5.6MB
-
memory/4980-135-0x0000000000000000-mapping.dmp