Analysis
-
max time kernel
128s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:14
Static task
static1
Behavioral task
behavioral1
Sample
REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe
Resource
win10v2004-20220414-en
General
-
Target
REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe
-
Size
609KB
-
MD5
c12557a3d973d45b602fbc8784fd8b75
-
SHA1
321569bcfe34e7c751f1efef818d7b2d1337790a
-
SHA256
50bca33857f38988e44abdd9542f348a2f5c4f499822a7eb37b58273b0fecb75
-
SHA512
6cae6fc81ad2f3e4b25e8d793378a2956207f95064c0f00ab86d5c8a2fcfc1214e1eaf28317e10f8cf3c08ebd6eac35f87a6de7254416d8095ab162ca5ec033e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.stankovic.hr - Port:
587 - Username:
[email protected] - Password:
mp58zg
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5012-132-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exedescription pid process target process PID 872 set thread context of 5012 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe RegSvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exepid process 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exedw20.exedescription pid process Token: SeDebugPrivilege 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe Token: SeRestorePrivilege 3564 dw20.exe Token: SeBackupPrivilege 3564 dw20.exe Token: SeBackupPrivilege 3564 dw20.exe Token: SeBackupPrivilege 3564 dw20.exe Token: SeBackupPrivilege 3564 dw20.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exeRegSvcs.exedescription pid process target process PID 872 wrote to memory of 5012 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe RegSvcs.exe PID 872 wrote to memory of 5012 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe RegSvcs.exe PID 872 wrote to memory of 5012 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe RegSvcs.exe PID 872 wrote to memory of 5012 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe RegSvcs.exe PID 872 wrote to memory of 5012 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe RegSvcs.exe PID 872 wrote to memory of 5012 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe RegSvcs.exe PID 872 wrote to memory of 5012 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe RegSvcs.exe PID 872 wrote to memory of 5012 872 REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe RegSvcs.exe PID 5012 wrote to memory of 3564 5012 RegSvcs.exe dw20.exe PID 5012 wrote to memory of 3564 5012 RegSvcs.exe dw20.exe PID 5012 wrote to memory of 3564 5012 RegSvcs.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe"C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE IF011200022823419.pdf - Copy (2).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7883⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/872-130-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/3564-133-0x0000000000000000-mapping.dmp
-
memory/5012-131-0x0000000000000000-mapping.dmp
-
memory/5012-132-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/5012-134-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB