Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:16
Static task
static1
Behavioral task
behavioral1
Sample
Catalogue -CIMC Vehicles.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Catalogue -CIMC Vehicles.pdf
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
PO.exe
Resource
win10v2004-20220414-en
General
-
Target
PO.exe
-
Size
869KB
-
MD5
a925cd618ba6ead6b73ded89b70e69b7
-
SHA1
9a1b4b8e5a3d2d9539205f9c2a3ea96d5f74d5c0
-
SHA256
547e52557b519e2b169e8a9c5932e2d7ce615ea34d54348d5d87033a545b6362
-
SHA512
9a96bb6e45fcafe54376b3c923c5db4f71651832bc42897218511b87bbb15bacfafb9059a378d37022fe19b5dff6b78e8013b14262ab907f6d4bc0b051a365fb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cka.com.sg - Port:
587 - Username:
[email protected] - Password:
agnescka82
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral3/memory/956-61-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral3/memory/956-62-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral3/memory/956-63-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral3/memory/956-64-0x00000000004455CE-mapping.dmp family_agenttesla behavioral3/memory/956-66-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral3/memory/956-68-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Officex = "C:\\Users\\Admin\\AppData\\Roaming\\Officex\\Officex.exe" PO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 1652 set thread context of 956 1652 PO.exe PO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO.exepid process 956 PO.exe 956 PO.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO.exedescription pid process Token: SeDebugPrivilege 956 PO.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PO.exedescription pid process target process PID 1652 wrote to memory of 1316 1652 PO.exe schtasks.exe PID 1652 wrote to memory of 1316 1652 PO.exe schtasks.exe PID 1652 wrote to memory of 1316 1652 PO.exe schtasks.exe PID 1652 wrote to memory of 1316 1652 PO.exe schtasks.exe PID 1652 wrote to memory of 956 1652 PO.exe PO.exe PID 1652 wrote to memory of 956 1652 PO.exe PO.exe PID 1652 wrote to memory of 956 1652 PO.exe PO.exe PID 1652 wrote to memory of 956 1652 PO.exe PO.exe PID 1652 wrote to memory of 956 1652 PO.exe PO.exe PID 1652 wrote to memory of 956 1652 PO.exe PO.exe PID 1652 wrote to memory of 956 1652 PO.exe PO.exe PID 1652 wrote to memory of 956 1652 PO.exe PO.exe PID 1652 wrote to memory of 956 1652 PO.exe PO.exe -
outlook_office_path 1 IoCs
Processes:
PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe -
outlook_win_path 1 IoCs
Processes:
PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SWEYXGLydrrF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12E6.tmp"2⤵
- Creates scheduled task(s)
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\PO.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp12E6.tmpFilesize
1KB
MD541a560587ff3e2381f3c20b823c3cda0
SHA131d122e638cf8c5ee845e8e67167c05b9faee307
SHA25624d8d47bec1092563d398445f2d18264386171e574f80462b0d86afb0090de00
SHA512d194321e26caea5b8154b2b21eee1866b5d7a6227ae2eb8a7b52c68dd47a48d45c5b3ed23404e4e964eb99569d68ee3b8993468c1c692051aed39ba379725715
-
memory/956-61-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-58-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-59-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-62-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-63-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-64-0x00000000004455CE-mapping.dmp
-
memory/956-66-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-68-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-70-0x0000000075010000-0x00000000755BB000-memory.dmpFilesize
5.7MB
-
memory/1316-56-0x0000000000000000-mapping.dmp
-
memory/1652-55-0x0000000075010000-0x00000000755BB000-memory.dmpFilesize
5.7MB
-
memory/1652-54-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB