Analysis

  • max time kernel
    128s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:14

General

  • Target

    REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe

  • Size

    609KB

  • MD5

    c12557a3d973d45b602fbc8784fd8b75

  • SHA1

    321569bcfe34e7c751f1efef818d7b2d1337790a

  • SHA256

    50bca33857f38988e44abdd9542f348a2f5c4f499822a7eb37b58273b0fecb75

  • SHA512

    6cae6fc81ad2f3e4b25e8d793378a2956207f95064c0f00ab86d5c8a2fcfc1214e1eaf28317e10f8cf3c08ebd6eac35f87a6de7254416d8095ab162ca5ec033e

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.stankovic.hr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mp58zg

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe
    "C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 788
        3⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3564

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/872-130-0x00000000746A0000-0x0000000074C51000-memory.dmp
    Filesize

    5.7MB

  • memory/3564-133-0x0000000000000000-mapping.dmp
  • memory/5012-131-0x0000000000000000-mapping.dmp
  • memory/5012-132-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

  • memory/5012-134-0x00000000746A0000-0x0000000074C51000-memory.dmp
    Filesize

    5.7MB