Analysis
-
max time kernel
151s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:57
Static task
static1
Behavioral task
behavioral1
Sample
Doc#162020094753525765344650094480.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Doc#162020094753525765344650094480.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
Doc#162020094753525765344650094480.pdf.exe
-
Size
4.7MB
-
MD5
ffceee8b1fe197a9cac46ae74a66bccd
-
SHA1
806284efb14a8a27f44eee9564957659eec05282
-
SHA256
5bf9c6dd99a8c7ee59efcf09ff2b4ee5b5f51aab9ad91cd2aa0fca4b0ae975ba
-
SHA512
9d1cb0248107409eac2def450ebc99173e67340ee79a6f62c9b8273e318b0c17b53f914f122bb79d02f55af86516852100996c5152b5e15917a6c490c53e7627
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
chizzy25@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/632-140-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
dfgrwhgrhterurw.exeAddInProcess32.exepid process 3276 dfgrwhgrhterurw.exe 632 AddInProcess32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Doc#162020094753525765344650094480.pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Doc#162020094753525765344650094480.pdf.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hfggdfsgbnvbdgerfghs = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\dfgrwhgrhterurw.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dfgrwhgrhterurw.exedescription pid process target process PID 3276 set thread context of 632 3276 dfgrwhgrhterurw.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Doc#162020094753525765344650094480.pdf.exedfgrwhgrhterurw.exepid process 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 4808 Doc#162020094753525765344650094480.pdf.exe 3276 dfgrwhgrhterurw.exe 3276 dfgrwhgrhterurw.exe 3276 dfgrwhgrhterurw.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Doc#162020094753525765344650094480.pdf.exedfgrwhgrhterurw.exedescription pid process Token: SeDebugPrivilege 4808 Doc#162020094753525765344650094480.pdf.exe Token: SeDebugPrivilege 3276 dfgrwhgrhterurw.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Doc#162020094753525765344650094480.pdf.execmd.exedfgrwhgrhterurw.exedescription pid process target process PID 4808 wrote to memory of 3840 4808 Doc#162020094753525765344650094480.pdf.exe cmd.exe PID 4808 wrote to memory of 3840 4808 Doc#162020094753525765344650094480.pdf.exe cmd.exe PID 4808 wrote to memory of 3840 4808 Doc#162020094753525765344650094480.pdf.exe cmd.exe PID 3840 wrote to memory of 2304 3840 cmd.exe reg.exe PID 3840 wrote to memory of 2304 3840 cmd.exe reg.exe PID 3840 wrote to memory of 2304 3840 cmd.exe reg.exe PID 4808 wrote to memory of 3276 4808 Doc#162020094753525765344650094480.pdf.exe dfgrwhgrhterurw.exe PID 4808 wrote to memory of 3276 4808 Doc#162020094753525765344650094480.pdf.exe dfgrwhgrhterurw.exe PID 4808 wrote to memory of 3276 4808 Doc#162020094753525765344650094480.pdf.exe dfgrwhgrhterurw.exe PID 3276 wrote to memory of 632 3276 dfgrwhgrhterurw.exe AddInProcess32.exe PID 3276 wrote to memory of 632 3276 dfgrwhgrhterurw.exe AddInProcess32.exe PID 3276 wrote to memory of 632 3276 dfgrwhgrhterurw.exe AddInProcess32.exe PID 3276 wrote to memory of 632 3276 dfgrwhgrhterurw.exe AddInProcess32.exe PID 3276 wrote to memory of 632 3276 dfgrwhgrhterurw.exe AddInProcess32.exe PID 3276 wrote to memory of 632 3276 dfgrwhgrhterurw.exe AddInProcess32.exe PID 3276 wrote to memory of 632 3276 dfgrwhgrhterurw.exe AddInProcess32.exe PID 3276 wrote to memory of 632 3276 dfgrwhgrhterurw.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc#162020094753525765344650094480.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Doc#162020094753525765344650094480.pdf.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v hfggdfsgbnvbdgerfghs /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v hfggdfsgbnvbdgerfghs /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exe"C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exeFilesize
4.7MB
MD5ffceee8b1fe197a9cac46ae74a66bccd
SHA1806284efb14a8a27f44eee9564957659eec05282
SHA2565bf9c6dd99a8c7ee59efcf09ff2b4ee5b5f51aab9ad91cd2aa0fca4b0ae975ba
SHA5129d1cb0248107409eac2def450ebc99173e67340ee79a6f62c9b8273e318b0c17b53f914f122bb79d02f55af86516852100996c5152b5e15917a6c490c53e7627
-
C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exeFilesize
4.7MB
MD5ffceee8b1fe197a9cac46ae74a66bccd
SHA1806284efb14a8a27f44eee9564957659eec05282
SHA2565bf9c6dd99a8c7ee59efcf09ff2b4ee5b5f51aab9ad91cd2aa0fca4b0ae975ba
SHA5129d1cb0248107409eac2def450ebc99173e67340ee79a6f62c9b8273e318b0c17b53f914f122bb79d02f55af86516852100996c5152b5e15917a6c490c53e7627
-
memory/632-143-0x00000000055E0000-0x000000000567C000-memory.dmpFilesize
624KB
-
memory/632-140-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/632-139-0x0000000000000000-mapping.dmp
-
memory/2304-135-0x0000000000000000-mapping.dmp
-
memory/3276-136-0x0000000000000000-mapping.dmp
-
memory/3840-134-0x0000000000000000-mapping.dmp
-
memory/4808-130-0x0000000000680000-0x0000000000B3C000-memory.dmpFilesize
4.7MB
-
memory/4808-133-0x0000000006290000-0x00000000062D4000-memory.dmpFilesize
272KB
-
memory/4808-132-0x0000000005E30000-0x0000000005EC2000-memory.dmpFilesize
584KB
-
memory/4808-131-0x0000000006300000-0x00000000068A4000-memory.dmpFilesize
5.6MB