Analysis
-
max time kernel
151s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:04
Static task
static1
Behavioral task
behavioral1
Sample
نسخة الدفع. pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
نسخة الدفع. pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
نسخة الدفع. pdf.exe
-
Size
497KB
-
MD5
f3823acd3e8a4dcf21da8c206e13f257
-
SHA1
98f1a9eff1ad1e2f274ac4100e6670f2e95431c6
-
SHA256
c315112980543e9046f7b3167586d3a5ba25734aac85679542adaca7867f3ef7
-
SHA512
702423cebf17f43925e50244c7caf3255472715caa7f1cb15dfe25dd81da5d6788fcd1bd4aa8f7771821f5ceb0305612f0a0d370b7bb2432349c2bc1a53c2212
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
vikash12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5016-138-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
نسخة الدفع. pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation نسخة الدفع. pdf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
نسخة الدفع. pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 نسخة الدفع. pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 نسخة الدفع. pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 نسخة الدفع. pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
نسخة الدفع. pdf.exedescription pid process target process PID 2600 set thread context of 5016 2600 نسخة الدفع. pdf.exe نسخة الدفع. pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
نسخة الدفع. pdf.exepid process 5016 نسخة الدفع. pdf.exe 5016 نسخة الدفع. pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
نسخة الدفع. pdf.exepid process 5016 نسخة الدفع. pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
نسخة الدفع. pdf.exedescription pid process Token: SeDebugPrivilege 5016 نسخة الدفع. pdf.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
نسخة الدفع. pdf.exeنسخة الدفع. pdf.exedescription pid process target process PID 2600 wrote to memory of 4392 2600 نسخة الدفع. pdf.exe schtasks.exe PID 2600 wrote to memory of 4392 2600 نسخة الدفع. pdf.exe schtasks.exe PID 2600 wrote to memory of 4392 2600 نسخة الدفع. pdf.exe schtasks.exe PID 2600 wrote to memory of 5016 2600 نسخة الدفع. pdf.exe نسخة الدفع. pdf.exe PID 2600 wrote to memory of 5016 2600 نسخة الدفع. pdf.exe نسخة الدفع. pdf.exe PID 2600 wrote to memory of 5016 2600 نسخة الدفع. pdf.exe نسخة الدفع. pdf.exe PID 2600 wrote to memory of 5016 2600 نسخة الدفع. pdf.exe نسخة الدفع. pdf.exe PID 2600 wrote to memory of 5016 2600 نسخة الدفع. pdf.exe نسخة الدفع. pdf.exe PID 2600 wrote to memory of 5016 2600 نسخة الدفع. pdf.exe نسخة الدفع. pdf.exe PID 2600 wrote to memory of 5016 2600 نسخة الدفع. pdf.exe نسخة الدفع. pdf.exe PID 2600 wrote to memory of 5016 2600 نسخة الدفع. pdf.exe نسخة الدفع. pdf.exe PID 5016 wrote to memory of 3404 5016 نسخة الدفع. pdf.exe netsh.exe PID 5016 wrote to memory of 3404 5016 نسخة الدفع. pdf.exe netsh.exe PID 5016 wrote to memory of 3404 5016 نسخة الدفع. pdf.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
نسخة الدفع. pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 نسخة الدفع. pdf.exe -
outlook_win_path 1 IoCs
Processes:
نسخة الدفع. pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 نسخة الدفع. pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\نسخة الدفع. pdf.exe"C:\Users\Admin\AppData\Local\Temp\نسخة الدفع. pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrehCc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B51.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\نسخة الدفع. pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4B51.tmpFilesize
1KB
MD5321a90ffb78ff2d57fe214346c477711
SHA1b38541425e5683cd766c2fbdbe407dd0656ee65a
SHA25667b8371bb266451782a2493b3e77f150918ebd972737b90548ca981bc1ec9556
SHA5121ada332ca41df56f8d1dfe0780961a4e2d79e7770cfe3dd18ee40fa96a2fea1a323aad80f6d5d801284cd7669ee14dba5d0d4455c36351e78d3fd69ea9d11268
-
memory/2600-130-0x0000000000DD0000-0x0000000000E52000-memory.dmpFilesize
520KB
-
memory/2600-131-0x0000000005DB0000-0x0000000006354000-memory.dmpFilesize
5.6MB
-
memory/2600-132-0x0000000005800000-0x0000000005892000-memory.dmpFilesize
584KB
-
memory/2600-133-0x00000000059B0000-0x00000000059BA000-memory.dmpFilesize
40KB
-
memory/2600-134-0x0000000007D70000-0x0000000007E0C000-memory.dmpFilesize
624KB
-
memory/3404-141-0x0000000000000000-mapping.dmp
-
memory/4392-135-0x0000000000000000-mapping.dmp
-
memory/5016-137-0x0000000000000000-mapping.dmp
-
memory/5016-138-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/5016-139-0x0000000005E00000-0x0000000005E66000-memory.dmpFilesize
408KB
-
memory/5016-140-0x0000000006BB0000-0x0000000006C00000-memory.dmpFilesize
320KB