Analysis
-
max time kernel
111s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
Technical Details.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Technical Details.exe
Resource
win10v2004-20220414-en
General
-
Target
Technical Details.exe
-
Size
427KB
-
MD5
f45b90ee156fcebbc41ee694e8714141
-
SHA1
a01e32250e4ae6096716b88ef1a81a936f5be413
-
SHA256
9bf584f64af278fb0a7afd8aa15c460e19e3263388bc896284712c7a07426eeb
-
SHA512
ab002fcc34b68f6670fa02257392e16327ee7ab6afa3da6988c24ebcf0607abae613f223cb58dff8ab9cc6c90bba112d0361496428492cbbcf9cd200fa009e64
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
privateemail.com - Port:
587 - Username:
[email protected] - Password:
@damienzy.xyz2240
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4388-138-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Technical Details.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Technical Details.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Technical Details.exedescription pid process target process PID 548 set thread context of 4388 548 Technical Details.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Technical Details.exeRegSvcs.exepid process 548 Technical Details.exe 4388 RegSvcs.exe 4388 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Technical Details.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 548 Technical Details.exe Token: SeDebugPrivilege 4388 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Technical Details.exedescription pid process target process PID 548 wrote to memory of 4588 548 Technical Details.exe schtasks.exe PID 548 wrote to memory of 4588 548 Technical Details.exe schtasks.exe PID 548 wrote to memory of 4588 548 Technical Details.exe schtasks.exe PID 548 wrote to memory of 4388 548 Technical Details.exe RegSvcs.exe PID 548 wrote to memory of 4388 548 Technical Details.exe RegSvcs.exe PID 548 wrote to memory of 4388 548 Technical Details.exe RegSvcs.exe PID 548 wrote to memory of 4388 548 Technical Details.exe RegSvcs.exe PID 548 wrote to memory of 4388 548 Technical Details.exe RegSvcs.exe PID 548 wrote to memory of 4388 548 Technical Details.exe RegSvcs.exe PID 548 wrote to memory of 4388 548 Technical Details.exe RegSvcs.exe PID 548 wrote to memory of 4388 548 Technical Details.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Technical Details.exe"C:\Users\Admin\AppData\Local\Temp\Technical Details.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jWnDUGZhALZVGq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmpFilesize
1KB
MD5b622caea737a70a31738516a7082e6a4
SHA13cc8bc98b39957f6b0db6a53a28964c57f7fc049
SHA256f821e7af26ceb81c018c42c95fa2bb062b14c8a478c0dc14b385a61d660034f7
SHA51297baedaf4cde65cf682b3d03c127f0db9019e962dd3c4d0970286c03e1c76734b52c9878e7cfd712f65c420893795cb966e443a77d6fb40be18babd151c27553
-
memory/548-130-0x0000000000670000-0x00000000006E2000-memory.dmpFilesize
456KB
-
memory/548-131-0x0000000005570000-0x0000000005B14000-memory.dmpFilesize
5.6MB
-
memory/548-132-0x00000000050A0000-0x0000000005132000-memory.dmpFilesize
584KB
-
memory/548-133-0x0000000005080000-0x000000000508A000-memory.dmpFilesize
40KB
-
memory/548-134-0x0000000008F00000-0x0000000008F9C000-memory.dmpFilesize
624KB
-
memory/4388-137-0x0000000000000000-mapping.dmp
-
memory/4388-138-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4388-139-0x0000000006000000-0x0000000006066000-memory.dmpFilesize
408KB
-
memory/4388-140-0x0000000006760000-0x00000000067B0000-memory.dmpFilesize
320KB
-
memory/4588-135-0x0000000000000000-mapping.dmp