Analysis
-
max time kernel
21s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:56
Static task
static1
Behavioral task
behavioral1
Sample
20200603_PO_97890_EXPORTFCLpdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
20200603_PO_97890_EXPORTFCLpdf.exe
Resource
win10v2004-20220414-en
General
-
Target
20200603_PO_97890_EXPORTFCLpdf.exe
-
Size
454KB
-
MD5
73eff0ef28208f340480056565e52406
-
SHA1
6c97fd2aeaf672b55306147ed028c4ba044287c6
-
SHA256
c34a5fb5cb1ee666b5a59c8fd67368b2b3f826b3b8ed19e597dc8beb91416c52
-
SHA512
7277bd32980e6822b846f986c7e3c648443034d840463148d66b4ac8e169ecee64ae1444571da4a440c0f296fe36c9506512bc986393074539d2c45a2c3c1270
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sesan.com.vn - Port:
587 - Username:
info@sesan.com.vn - Password:
123456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/432-63-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/432-64-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/432-65-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/432-66-0x000000000044CBDE-mapping.dmp family_agenttesla behavioral1/memory/432-68-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1688-57-0x0000000001EF0000-0x0000000001F48000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
20200603_PO_97890_EXPORTFCLpdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 20200603_PO_97890_EXPORTFCLpdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 20200603_PO_97890_EXPORTFCLpdf.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
20200603_PO_97890_EXPORTFCLpdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 20200603_PO_97890_EXPORTFCLpdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 20200603_PO_97890_EXPORTFCLpdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
20200603_PO_97890_EXPORTFCLpdf.exedescription pid process target process PID 1688 set thread context of 432 1688 20200603_PO_97890_EXPORTFCLpdf.exe 20200603_PO_97890_EXPORTFCLpdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
20200603_PO_97890_EXPORTFCLpdf.exedescription pid process target process PID 1688 wrote to memory of 2020 1688 20200603_PO_97890_EXPORTFCLpdf.exe schtasks.exe PID 1688 wrote to memory of 2020 1688 20200603_PO_97890_EXPORTFCLpdf.exe schtasks.exe PID 1688 wrote to memory of 2020 1688 20200603_PO_97890_EXPORTFCLpdf.exe schtasks.exe PID 1688 wrote to memory of 2020 1688 20200603_PO_97890_EXPORTFCLpdf.exe schtasks.exe PID 1688 wrote to memory of 432 1688 20200603_PO_97890_EXPORTFCLpdf.exe 20200603_PO_97890_EXPORTFCLpdf.exe PID 1688 wrote to memory of 432 1688 20200603_PO_97890_EXPORTFCLpdf.exe 20200603_PO_97890_EXPORTFCLpdf.exe PID 1688 wrote to memory of 432 1688 20200603_PO_97890_EXPORTFCLpdf.exe 20200603_PO_97890_EXPORTFCLpdf.exe PID 1688 wrote to memory of 432 1688 20200603_PO_97890_EXPORTFCLpdf.exe 20200603_PO_97890_EXPORTFCLpdf.exe PID 1688 wrote to memory of 432 1688 20200603_PO_97890_EXPORTFCLpdf.exe 20200603_PO_97890_EXPORTFCLpdf.exe PID 1688 wrote to memory of 432 1688 20200603_PO_97890_EXPORTFCLpdf.exe 20200603_PO_97890_EXPORTFCLpdf.exe PID 1688 wrote to memory of 432 1688 20200603_PO_97890_EXPORTFCLpdf.exe 20200603_PO_97890_EXPORTFCLpdf.exe PID 1688 wrote to memory of 432 1688 20200603_PO_97890_EXPORTFCLpdf.exe 20200603_PO_97890_EXPORTFCLpdf.exe PID 1688 wrote to memory of 432 1688 20200603_PO_97890_EXPORTFCLpdf.exe 20200603_PO_97890_EXPORTFCLpdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20200603_PO_97890_EXPORTFCLpdf.exe"C:\Users\Admin\AppData\Local\Temp\20200603_PO_97890_EXPORTFCLpdf.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRWlmmsFeghNI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6CA9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\20200603_PO_97890_EXPORTFCLpdf.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6CA9.tmpFilesize
1KB
MD541620b81f47e832fe749779f9bd69c02
SHA1ac93ba2739b6823901df92394e08243079337876
SHA256a49e084a52951b1023d55f556f29e52356e290a23406eeaa34db0dd85775afca
SHA5124b99478df5b5a194b3c40513c153258490346d465723e7397b9fde2818acad284dc19fb678e1401c66e075f854e43c66ea6bec7b75fa1c7044561c0854682e71
-
memory/432-64-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/432-60-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/432-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/432-63-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/432-65-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/432-66-0x000000000044CBDE-mapping.dmp
-
memory/432-68-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1688-56-0x0000000000660000-0x0000000000668000-memory.dmpFilesize
32KB
-
memory/1688-57-0x0000000001EF0000-0x0000000001F48000-memory.dmpFilesize
352KB
-
memory/1688-55-0x0000000075E31000-0x0000000075E33000-memory.dmpFilesize
8KB
-
memory/1688-54-0x0000000000020000-0x0000000000098000-memory.dmpFilesize
480KB
-
memory/2020-58-0x0000000000000000-mapping.dmp