Analysis
-
max time kernel
120s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:59
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Purchase Order.exe
Resource
win10v2004-20220414-en
General
-
Target
Purchase Order.exe
-
Size
716KB
-
MD5
e5f74fba39a57d9e8f42b3073447b283
-
SHA1
429ab9b34e3cfadce00baf207f4a2a87666785de
-
SHA256
4282ae23bf6e1a962085b045a712056a9d98c1e03d9d77c6a226d3fc7ed89776
-
SHA512
f1754b72140111d0241720407d05e1e610ff08aad96289f2af51461d3ad1e7e0d4741ad7b28724e531a6195969a0105380b982d5509c52a98bb44ae85d95924e
Malware Config
Extracted
Protocol: smtp- Host:
mail.acmasindia.com - Port:
587 - Username:
[email protected] - Password:
7R?_e#f.wLob
Extracted
agenttesla
Protocol: smtp- Host:
mail.acmasindia.com - Port:
587 - Username:
[email protected] - Password:
7R?_e#f.wLob
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2252-144-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
Purchase Order.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Purchase Order.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Purchase Order.exePurchase Order.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Purchase Order.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Purchase Order.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Purchase Order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Purchase Order.exePurchase Order.exedescription pid process target process PID 1820 set thread context of 4420 1820 Purchase Order.exe Purchase Order.exe PID 4420 set thread context of 2252 4420 Purchase Order.exe Purchase Order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Purchase Order.exePurchase Order.exePurchase Order.exepid process 1820 Purchase Order.exe 1820 Purchase Order.exe 1820 Purchase Order.exe 1820 Purchase Order.exe 1820 Purchase Order.exe 1820 Purchase Order.exe 4420 Purchase Order.exe 2252 Purchase Order.exe 2252 Purchase Order.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Purchase Order.exePurchase Order.exePurchase Order.exedescription pid process Token: SeDebugPrivilege 1820 Purchase Order.exe Token: SeDebugPrivilege 4420 Purchase Order.exe Token: SeDebugPrivilege 2252 Purchase Order.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Purchase Order.exePurchase Order.exePurchase Order.exedescription pid process target process PID 1820 wrote to memory of 3376 1820 Purchase Order.exe schtasks.exe PID 1820 wrote to memory of 3376 1820 Purchase Order.exe schtasks.exe PID 1820 wrote to memory of 3376 1820 Purchase Order.exe schtasks.exe PID 1820 wrote to memory of 4824 1820 Purchase Order.exe Purchase Order.exe PID 1820 wrote to memory of 4824 1820 Purchase Order.exe Purchase Order.exe PID 1820 wrote to memory of 4824 1820 Purchase Order.exe Purchase Order.exe PID 1820 wrote to memory of 4420 1820 Purchase Order.exe Purchase Order.exe PID 1820 wrote to memory of 4420 1820 Purchase Order.exe Purchase Order.exe PID 1820 wrote to memory of 4420 1820 Purchase Order.exe Purchase Order.exe PID 1820 wrote to memory of 4420 1820 Purchase Order.exe Purchase Order.exe PID 1820 wrote to memory of 4420 1820 Purchase Order.exe Purchase Order.exe PID 1820 wrote to memory of 4420 1820 Purchase Order.exe Purchase Order.exe PID 1820 wrote to memory of 4420 1820 Purchase Order.exe Purchase Order.exe PID 1820 wrote to memory of 4420 1820 Purchase Order.exe Purchase Order.exe PID 4420 wrote to memory of 428 4420 Purchase Order.exe schtasks.exe PID 4420 wrote to memory of 428 4420 Purchase Order.exe schtasks.exe PID 4420 wrote to memory of 428 4420 Purchase Order.exe schtasks.exe PID 4420 wrote to memory of 2252 4420 Purchase Order.exe Purchase Order.exe PID 4420 wrote to memory of 2252 4420 Purchase Order.exe Purchase Order.exe PID 4420 wrote to memory of 2252 4420 Purchase Order.exe Purchase Order.exe PID 4420 wrote to memory of 2252 4420 Purchase Order.exe Purchase Order.exe PID 4420 wrote to memory of 2252 4420 Purchase Order.exe Purchase Order.exe PID 4420 wrote to memory of 2252 4420 Purchase Order.exe Purchase Order.exe PID 4420 wrote to memory of 2252 4420 Purchase Order.exe Purchase Order.exe PID 4420 wrote to memory of 2252 4420 Purchase Order.exe Purchase Order.exe PID 2252 wrote to memory of 4600 2252 Purchase Order.exe REG.exe PID 2252 wrote to memory of 4600 2252 Purchase Order.exe REG.exe PID 2252 wrote to memory of 4600 2252 Purchase Order.exe REG.exe PID 2252 wrote to memory of 4592 2252 Purchase Order.exe netsh.exe PID 2252 wrote to memory of 4592 2252 Purchase Order.exe netsh.exe PID 2252 wrote to memory of 4592 2252 Purchase Order.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Purchase Order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order.exe -
outlook_win_path 1 IoCs
Processes:
Purchase Order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bTbkBcUE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp764E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\izubZbilc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B6E.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"{path}"3⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.logFilesize
1KB
MD5400f1cc1a0a0ce1cdabda365ab3368ce
SHA11ecf683f14271d84f3b6063493dce00ff5f42075
SHA256c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA51214c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45
-
C:\Users\Admin\AppData\Local\Temp\tmp764E.tmpFilesize
1KB
MD5cdc6f0cbd784cc7831bbdc51f558cde1
SHA14df7d8bbadf20d64986858fab3ff6ba8f8a910c1
SHA2560119363381c3c5865908d224064b4480bc535a4346f2b774ce92a9d372cda2fa
SHA51236eb743cf47297ae15b0c6a2e5afe848506bc1a9db56cbeb16cafa88effd3c01c0abf40f80b2f931fccee202cfba46e69f75c12fe413d7e81532c0b105010e62
-
C:\Users\Admin\AppData\Local\Temp\tmp7B6E.tmpFilesize
1KB
MD57e68f860df61c4225e090f59ce17c8d0
SHA1220bcbaed2f38c84621589b94ebbdf000f419ba1
SHA256b93f4971d54726985e4450f4f24932e8ff6905131524b26fafdc2754b874d8a8
SHA512d5cf6da34a8fa626aa14ce9a96201a804daeb33a4d35abf551490fd8449ad70a82a3818276550613d0da6a2aca0c9ae10cb47c6bbb5144d5ba6b99922ec238b1
-
memory/428-141-0x0000000000000000-mapping.dmp
-
memory/1820-134-0x0000000009000000-0x000000000909C000-memory.dmpFilesize
624KB
-
memory/1820-133-0x0000000005970000-0x000000000597A000-memory.dmpFilesize
40KB
-
memory/1820-130-0x0000000000AD0000-0x0000000000B8A000-memory.dmpFilesize
744KB
-
memory/1820-131-0x0000000005D80000-0x0000000006324000-memory.dmpFilesize
5.6MB
-
memory/1820-132-0x00000000058D0000-0x0000000005962000-memory.dmpFilesize
584KB
-
memory/2252-144-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2252-143-0x0000000000000000-mapping.dmp
-
memory/2252-145-0x0000000005DD0000-0x0000000005E36000-memory.dmpFilesize
408KB
-
memory/2252-147-0x00000000068C0000-0x0000000006910000-memory.dmpFilesize
320KB
-
memory/3376-135-0x0000000000000000-mapping.dmp
-
memory/4420-139-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4420-138-0x0000000000000000-mapping.dmp
-
memory/4592-148-0x0000000000000000-mapping.dmp
-
memory/4600-146-0x0000000000000000-mapping.dmp
-
memory/4824-137-0x0000000000000000-mapping.dmp