Analysis
-
max time kernel
152s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:05
Static task
static1
Behavioral task
behavioral1
Sample
PO20201.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO20201.exe
Resource
win10v2004-20220414-en
General
-
Target
PO20201.exe
-
Size
1.6MB
-
MD5
144ef7cef25ba3310000ddb81ec5192c
-
SHA1
b1ab1c5509afb2fda7cf8de4df971ec24ae48e49
-
SHA256
ef198e1bc193d5b0e033b27059f10e3ae7a5b696f2157bda94d765cc353d6952
-
SHA512
343cbb325758832b4f7a683fe28aad451f790c450e1ec49e57ca3c71c57ae15b825b878ca2db923070fc8cfe7c97b8104da80eda2e5bcc732a83bd934f1d11fa
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.durainteriordesign.com - Port:
587 - Username:
[email protected] - Password:
successman12
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3540-133-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 2 IoCs
Processes:
MSBuild.exeMSBuild.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts MSBuild.exe File opened for modification C:\Windows\system32\drivers\etc\hosts MSBuild.exe -
Drops startup file 1 IoCs
Processes:
PO20201.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ssh-keygen.url PO20201.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
MSBuild.exeMSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
PO20201.exedescription pid process target process PID 2272 set thread context of 3540 2272 PO20201.exe MSBuild.exe PID 2272 set thread context of 744 2272 PO20201.exe MSBuild.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3852 3540 WerFault.exe MSBuild.exe 792 744 WerFault.exe MSBuild.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
MSBuild.exePO20201.exeMSBuild.exepid process 3540 MSBuild.exe 3540 MSBuild.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 744 MSBuild.exe 744 MSBuild.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MSBuild.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3540 MSBuild.exe Token: SeDebugPrivilege 744 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
PO20201.exepid process 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
PO20201.exepid process 2272 PO20201.exe 2272 PO20201.exe 2272 PO20201.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
PO20201.exeMSBuild.exeMSBuild.exedescription pid process target process PID 2272 wrote to memory of 3540 2272 PO20201.exe MSBuild.exe PID 2272 wrote to memory of 3540 2272 PO20201.exe MSBuild.exe PID 2272 wrote to memory of 3540 2272 PO20201.exe MSBuild.exe PID 2272 wrote to memory of 3540 2272 PO20201.exe MSBuild.exe PID 2272 wrote to memory of 3540 2272 PO20201.exe MSBuild.exe PID 3540 wrote to memory of 1680 3540 MSBuild.exe REG.exe PID 3540 wrote to memory of 1680 3540 MSBuild.exe REG.exe PID 3540 wrote to memory of 1680 3540 MSBuild.exe REG.exe PID 3540 wrote to memory of 3932 3540 MSBuild.exe netsh.exe PID 3540 wrote to memory of 3932 3540 MSBuild.exe netsh.exe PID 3540 wrote to memory of 3932 3540 MSBuild.exe netsh.exe PID 2272 wrote to memory of 744 2272 PO20201.exe MSBuild.exe PID 2272 wrote to memory of 744 2272 PO20201.exe MSBuild.exe PID 2272 wrote to memory of 744 2272 PO20201.exe MSBuild.exe PID 2272 wrote to memory of 744 2272 PO20201.exe MSBuild.exe PID 2272 wrote to memory of 744 2272 PO20201.exe MSBuild.exe PID 744 wrote to memory of 4084 744 MSBuild.exe REG.exe PID 744 wrote to memory of 4084 744 MSBuild.exe REG.exe PID 744 wrote to memory of 4084 744 MSBuild.exe REG.exe PID 744 wrote to memory of 3268 744 MSBuild.exe netsh.exe PID 744 wrote to memory of 3268 744 MSBuild.exe netsh.exe PID 744 wrote to memory of 3268 744 MSBuild.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO20201.exe"C:\Users\Admin\AppData\Local\Temp\PO20201.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 15043⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 14923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3540 -ip 35401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 744 -ip 7441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\system32\drivers\etc\hostsFilesize
846B
MD55b2d17233558878a82ee464d04f58b59
SHA147ebffcad0b4c358df0d6a06ef335cb6aab0ab20
SHA2565b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542
SHA512d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b
-
memory/744-145-0x0000000000000000-mapping.dmp
-
memory/1680-142-0x0000000000000000-mapping.dmp
-
memory/2272-130-0x0000000003830000-0x00000000038C8000-memory.dmpFilesize
608KB
-
memory/2272-131-0x0000000004C90000-0x0000000004D28000-memory.dmpFilesize
608KB
-
memory/3268-153-0x0000000000000000-mapping.dmp
-
memory/3540-140-0x0000000005B90000-0x0000000005C2C000-memory.dmpFilesize
624KB
-
memory/3540-141-0x00000000068A0000-0x0000000006906000-memory.dmpFilesize
408KB
-
memory/3540-139-0x00000000059D0000-0x0000000005A62000-memory.dmpFilesize
584KB
-
memory/3540-144-0x00000000016B0000-0x0000000001700000-memory.dmpFilesize
320KB
-
memory/3540-138-0x0000000006140000-0x00000000066E4000-memory.dmpFilesize
5.6MB
-
memory/3540-133-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3540-132-0x0000000000000000-mapping.dmp
-
memory/3932-143-0x0000000000000000-mapping.dmp
-
memory/4084-152-0x0000000000000000-mapping.dmp