Analysis
-
max time kernel
131s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:04
Static task
static1
Behavioral task
behavioral1
Sample
company profile and order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
company profile and order.exe
Resource
win10v2004-20220414-en
General
-
Target
company profile and order.exe
-
Size
541KB
-
MD5
901d22562d31a9e1c5db78101f5a1a5b
-
SHA1
5bb7d889b40ab7bf7565f5709ec85806624f262f
-
SHA256
17b08a5f3af74a6f01300f637e6975b4d42a04b3c1f5825a86106adc48f51608
-
SHA512
a7c094689266752791228a518c725e2f36a45bb5ef47c5a9020cabad3f35ca5f3057db44dcc4ff4ed7879e40755af4ebe165ea50735774478c4aca414f2a3e56
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
clubluxurious.com - Port:
587 - Username:
adminsmtp@clubluxurious.com - Password:
lovers903212@@@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/888-56-0x0000000000220000-0x0000000000228000-memory.dmp coreentity -
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/656-63-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/656-64-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/656-65-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/656-66-0x000000000044CC8E-mapping.dmp family_agenttesla behavioral1/memory/656-68-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/656-70-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/888-54-0x0000000000E40000-0x0000000000ECE000-memory.dmp coreccc -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/888-57-0x0000000000DE0000-0x0000000000E3A000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
company profile and order.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion company profile and order.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion company profile and order.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
company profile and order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 company profile and order.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 company profile and order.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 company profile and order.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
company profile and order.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum company profile and order.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 company profile and order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
company profile and order.exedescription pid process target process PID 888 set thread context of 656 888 company profile and order.exe company profile and order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
company profile and order.execompany profile and order.exepid process 888 company profile and order.exe 656 company profile and order.exe 656 company profile and order.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
company profile and order.execompany profile and order.exedescription pid process Token: SeDebugPrivilege 888 company profile and order.exe Token: SeDebugPrivilege 656 company profile and order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
company profile and order.exepid process 656 company profile and order.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
company profile and order.execompany profile and order.exedescription pid process target process PID 888 wrote to memory of 1772 888 company profile and order.exe schtasks.exe PID 888 wrote to memory of 1772 888 company profile and order.exe schtasks.exe PID 888 wrote to memory of 1772 888 company profile and order.exe schtasks.exe PID 888 wrote to memory of 1772 888 company profile and order.exe schtasks.exe PID 888 wrote to memory of 656 888 company profile and order.exe company profile and order.exe PID 888 wrote to memory of 656 888 company profile and order.exe company profile and order.exe PID 888 wrote to memory of 656 888 company profile and order.exe company profile and order.exe PID 888 wrote to memory of 656 888 company profile and order.exe company profile and order.exe PID 888 wrote to memory of 656 888 company profile and order.exe company profile and order.exe PID 888 wrote to memory of 656 888 company profile and order.exe company profile and order.exe PID 888 wrote to memory of 656 888 company profile and order.exe company profile and order.exe PID 888 wrote to memory of 656 888 company profile and order.exe company profile and order.exe PID 888 wrote to memory of 656 888 company profile and order.exe company profile and order.exe PID 656 wrote to memory of 1736 656 company profile and order.exe netsh.exe PID 656 wrote to memory of 1736 656 company profile and order.exe netsh.exe PID 656 wrote to memory of 1736 656 company profile and order.exe netsh.exe PID 656 wrote to memory of 1736 656 company profile and order.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
company profile and order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 company profile and order.exe -
outlook_win_path 1 IoCs
Processes:
company profile and order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 company profile and order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\company profile and order.exe"C:\Users\Admin\AppData\Local\Temp\company profile and order.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWTjESQVUbKx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4819.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\company profile and order.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4819.tmpFilesize
1KB
MD5a2b28acaa54853cfbff74c65d07939e3
SHA14c1cb8e77e53aa260265ff556bf5ad00bfed713d
SHA2560061622051d9f33d80f9fe6d6c555ea1b1f59c53f15832a7cffc8552320dcc2c
SHA512f227c80524130594e0b243b17de19904e3e14c52ab379c4770841fdfc1fd815157bf9dff271e33bf774064d29d0106d160728561e5234b57640d27b809e34245
-
memory/656-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/656-66-0x000000000044CC8E-mapping.dmp
-
memory/656-70-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/656-68-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/656-65-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/656-60-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/656-63-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/656-64-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/888-54-0x0000000000E40000-0x0000000000ECE000-memory.dmpFilesize
568KB
-
memory/888-55-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/888-56-0x0000000000220000-0x0000000000228000-memory.dmpFilesize
32KB
-
memory/888-57-0x0000000000DE0000-0x0000000000E3A000-memory.dmpFilesize
360KB
-
memory/1736-72-0x0000000000000000-mapping.dmp
-
memory/1772-58-0x0000000000000000-mapping.dmp