Analysis
-
max time kernel
149s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:46
Static task
static1
Behavioral task
behavioral1
Sample
promise cripted.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
promise cripted.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
promisecrypted.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
promisecrypted.exe
Resource
win10v2004-20220414-en
General
-
Target
promisecrypted.exe
-
Size
691KB
-
MD5
47bb488aeb3ce0e005ac5e1a9d57bfda
-
SHA1
63d44c1fb00ec4910d9ad95cc15daf6e86ed3cdd
-
SHA256
85f9449b3bf138291017bff513ccc66cdbbb81478098149bf6ddaf44410c235e
-
SHA512
f1426c35ec3f265d028e4f70867f4e62b95b39842abbd7ca8cae395fec34de27ce9d58849f7a4a8f6acfa4aeb7fe3abf643eeb9e5a8c1c9139940f2be91b2169
Malware Config
Extracted
Protocol: smtp- Host:
mail.insooryaexpresscargo.com - Port:
587 - Username:
[email protected] - Password:
GuG5GK(3m7*Z
Extracted
agenttesla
Protocol: smtp- Host:
mail.insooryaexpresscargo.com - Port:
587 - Username:
[email protected] - Password:
GuG5GK(3m7*Z
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/2984-133-0x0000000000A10000-0x0000000000A62000-memory.dmp family_agenttesla behavioral4/memory/2984-132-0x0000000000A10000-0x0000000000A62000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
promisecrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 promisecrypted.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 promisecrypted.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 promisecrypted.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
promisecrypted.exedescription pid process target process PID 1496 set thread context of 2984 1496 promisecrypted.exe promisecrypted.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
promisecrypted.exepromisecrypted.exepid process 1496 promisecrypted.exe 1496 promisecrypted.exe 2984 promisecrypted.exe 2984 promisecrypted.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
promisecrypted.exepid process 1496 promisecrypted.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
promisecrypted.exedescription pid process Token: SeDebugPrivilege 2984 promisecrypted.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
promisecrypted.exepromisecrypted.exedescription pid process target process PID 1496 wrote to memory of 2984 1496 promisecrypted.exe promisecrypted.exe PID 1496 wrote to memory of 2984 1496 promisecrypted.exe promisecrypted.exe PID 1496 wrote to memory of 2984 1496 promisecrypted.exe promisecrypted.exe PID 2984 wrote to memory of 884 2984 promisecrypted.exe netsh.exe PID 2984 wrote to memory of 884 2984 promisecrypted.exe netsh.exe PID 2984 wrote to memory of 884 2984 promisecrypted.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
promisecrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 promisecrypted.exe -
outlook_win_path 1 IoCs
Processes:
promisecrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 promisecrypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\promisecrypted.exe"C:\Users\Admin\AppData\Local\Temp\promisecrypted.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\promisecrypted.exe"C:\Users\Admin\AppData\Local\Temp\promisecrypted.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/884-135-0x0000000000000000-mapping.dmp
-
memory/1496-131-0x0000000002260000-0x0000000002267000-memory.dmpFilesize
28KB
-
memory/2984-130-0x0000000000000000-mapping.dmp
-
memory/2984-133-0x0000000000A10000-0x0000000000A62000-memory.dmpFilesize
328KB
-
memory/2984-132-0x0000000000A10000-0x0000000000A62000-memory.dmpFilesize
328KB
-
memory/2984-134-0x0000000074B20000-0x00000000750D1000-memory.dmpFilesize
5.7MB