Analysis
-
max time kernel
66s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 06:01
Static task
static1
Behavioral task
behavioral1
Sample
Rfq clarifications.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Rfq clarifications.exe
Resource
win10v2004-20220414-en
General
-
Target
Rfq clarifications.exe
-
Size
25KB
-
MD5
bc48ec658d3ae45d8eaf52b6f1ab75fd
-
SHA1
6af36a0768884ad9fd39507911d824d1dc2963db
-
SHA256
3c42490be13ea791feda53e89f19abc2c4326cc581e9f7fb4040340e38b5a7c6
-
SHA512
76a034e57bb0d6c7159853b1ed78d374b57d55f14d464e49ece07f3e73633bc51eb07b65b708d5288cecfef17d3e6a25706cb2fd00bda0ae4465bb41472a3178
Malware Config
Extracted
Protocol: smtp- Host:
mail.modernsystemsco.com - Port:
587 - Username:
[email protected] - Password:
Base@2222$
Extracted
agenttesla
Protocol: smtp- Host:
mail.modernsystemsco.com - Port:
587 - Username:
[email protected] - Password:
Base@2222$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
suricata: ET MALWARE MSIL/Kryptik.XSY Data Exfil via SMTP
suricata: ET MALWARE MSIL/Kryptik.XSY Data Exfil via SMTP
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\newapp = "C:\\Users\\Admin\\AppData\\Roaming\\newapp\\newapp.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Rfq clarifications.exedescription pid process target process PID 1948 set thread context of 364 1948 Rfq clarifications.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1312 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Rfq clarifications.exeMSBuild.exepid process 1948 Rfq clarifications.exe 364 MSBuild.exe 364 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Rfq clarifications.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1948 Rfq clarifications.exe Token: SeDebugPrivilege 364 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Rfq clarifications.execmd.exedescription pid process target process PID 1948 wrote to memory of 1700 1948 Rfq clarifications.exe cmd.exe PID 1948 wrote to memory of 1700 1948 Rfq clarifications.exe cmd.exe PID 1948 wrote to memory of 1700 1948 Rfq clarifications.exe cmd.exe PID 1948 wrote to memory of 1700 1948 Rfq clarifications.exe cmd.exe PID 1700 wrote to memory of 1312 1700 cmd.exe timeout.exe PID 1700 wrote to memory of 1312 1700 cmd.exe timeout.exe PID 1700 wrote to memory of 1312 1700 cmd.exe timeout.exe PID 1700 wrote to memory of 1312 1700 cmd.exe timeout.exe PID 1948 wrote to memory of 364 1948 Rfq clarifications.exe MSBuild.exe PID 1948 wrote to memory of 364 1948 Rfq clarifications.exe MSBuild.exe PID 1948 wrote to memory of 364 1948 Rfq clarifications.exe MSBuild.exe PID 1948 wrote to memory of 364 1948 Rfq clarifications.exe MSBuild.exe PID 1948 wrote to memory of 364 1948 Rfq clarifications.exe MSBuild.exe PID 1948 wrote to memory of 364 1948 Rfq clarifications.exe MSBuild.exe PID 1948 wrote to memory of 364 1948 Rfq clarifications.exe MSBuild.exe PID 1948 wrote to memory of 364 1948 Rfq clarifications.exe MSBuild.exe PID 1948 wrote to memory of 364 1948 Rfq clarifications.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rfq clarifications.exe"C:\Users\Admin\AppData\Local\Temp\Rfq clarifications.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 302⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 303⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/364-63-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/364-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/364-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/364-70-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/364-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/364-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/364-66-0x0000000000435B9E-mapping.dmp
-
memory/364-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1312-59-0x0000000000000000-mapping.dmp
-
memory/1700-58-0x0000000000000000-mapping.dmp
-
memory/1948-55-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/1948-54-0x00000000008B0000-0x00000000008BC000-memory.dmpFilesize
48KB
-
memory/1948-57-0x00000000041A0000-0x00000000041EC000-memory.dmpFilesize
304KB
-
memory/1948-56-0x00000000007D0000-0x0000000000830000-memory.dmpFilesize
384KB