Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:16
General
-
Target
PO.exe
-
Size
869KB
-
MD5
a925cd618ba6ead6b73ded89b70e69b7
-
SHA1
9a1b4b8e5a3d2d9539205f9c2a3ea96d5f74d5c0
-
SHA256
547e52557b519e2b169e8a9c5932e2d7ce615ea34d54348d5d87033a545b6362
-
SHA512
9a96bb6e45fcafe54376b3c923c5db4f71651832bc42897218511b87bbb15bacfafb9059a378d37022fe19b5dff6b78e8013b14262ab907f6d4bc0b051a365fb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cka.com.sg - Port:
587 - Username:
[email protected] - Password:
agnescka82
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SWEYXGLydrrF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12E6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp12E6.tmpFilesize
1KB
MD541a560587ff3e2381f3c20b823c3cda0
SHA131d122e638cf8c5ee845e8e67167c05b9faee307
SHA25624d8d47bec1092563d398445f2d18264386171e574f80462b0d86afb0090de00
SHA512d194321e26caea5b8154b2b21eee1866b5d7a6227ae2eb8a7b52c68dd47a48d45c5b3ed23404e4e964eb99569d68ee3b8993468c1c692051aed39ba379725715
-
memory/956-61-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-58-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-59-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-62-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-63-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-64-0x00000000004455CE-mapping.dmp
-
memory/956-66-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-68-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/956-70-0x0000000075010000-0x00000000755BB000-memory.dmpFilesize
5.7MB
-
memory/1316-56-0x0000000000000000-mapping.dmp
-
memory/1652-55-0x0000000075010000-0x00000000755BB000-memory.dmpFilesize
5.7MB
-
memory/1652-54-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB