Analysis
-
max time kernel
136s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:15
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order Doc.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Purchase Order Doc.scr
Resource
win10v2004-20220414-en
General
-
Target
Purchase Order Doc.scr
-
Size
796KB
-
MD5
8edcfe92ce92808f800bef12341052e8
-
SHA1
412a5505293f3e2d6d41340af08b0a192456b7ad
-
SHA256
0193ff4bf0658fc5b1bfa21d0fde437f8ebd5c0e2bb81227f71d75de8d076c08
-
SHA512
5c6237bb67779fbeba2e279e190544e574595a2258507d3acc22d710cac7e80566540e31f14c0dd8ed2a4470257745ca3c3763419048c2c64af3c0db28928881
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.alfadlytcc.com - Port:
587 - Username:
[email protected] - Password:
A$P@ss2022
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1844-64-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/1844-65-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/1844-66-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/1844-67-0x000000000045427E-mapping.dmp family_agenttesla behavioral1/memory/1844-69-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/1844-71-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order Doc.scrdescription pid process target process PID 616 set thread context of 1844 616 Purchase Order Doc.scr RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1844 RegSvcs.exe 1844 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1844 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Purchase Order Doc.scrdescription pid process target process PID 616 wrote to memory of 1288 616 Purchase Order Doc.scr schtasks.exe PID 616 wrote to memory of 1288 616 Purchase Order Doc.scr schtasks.exe PID 616 wrote to memory of 1288 616 Purchase Order Doc.scr schtasks.exe PID 616 wrote to memory of 1288 616 Purchase Order Doc.scr schtasks.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe PID 616 wrote to memory of 1844 616 Purchase Order Doc.scr RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order Doc.scr"C:\Users\Admin\AppData\Local\Temp\Purchase Order Doc.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zKuQLnxFTXqVY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6EF9.tmp"2⤵
- Creates scheduled task(s)
PID:1288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6EF9.tmpFilesize
1KB
MD51c02e0586d3041830d26f6fb50d795c4
SHA179b7ba5fa2ea72c912f4fa3156ce460c41897c61
SHA256c3bdddd664a61e6c2aa49bf7a6f00da278cf42127c2524d70530764f0e6d251c
SHA512ef105d8b22901e37c7278571f57e747404abc28cbe77008ead4d3784e5f7abe64fcbad989f3fbb0c6fd0a13d24feb6609589f5864f6d78764e8d3c1537162ddd
-
memory/616-57-0x0000000005040000-0x00000000050B4000-memory.dmpFilesize
464KB
-
memory/616-56-0x0000000000360000-0x000000000036A000-memory.dmpFilesize
40KB
-
memory/616-54-0x00000000000E0000-0x00000000001AE000-memory.dmpFilesize
824KB
-
memory/616-58-0x00000000020B0000-0x000000000210A000-memory.dmpFilesize
360KB
-
memory/616-55-0x0000000074F91000-0x0000000074F93000-memory.dmpFilesize
8KB
-
memory/1288-59-0x0000000000000000-mapping.dmp
-
memory/1844-62-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1844-61-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1844-64-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1844-65-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1844-66-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1844-67-0x000000000045427E-mapping.dmp
-
memory/1844-69-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1844-71-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB