Analysis
-
max time kernel
166s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:16
Static task
static1
Behavioral task
behavioral1
Sample
Catalogue -CIMC Vehicles.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Catalogue -CIMC Vehicles.pdf
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
PO.exe
Resource
win10v2004-20220414-en
General
-
Target
PO.exe
-
Size
869KB
-
MD5
a925cd618ba6ead6b73ded89b70e69b7
-
SHA1
9a1b4b8e5a3d2d9539205f9c2a3ea96d5f74d5c0
-
SHA256
547e52557b519e2b169e8a9c5932e2d7ce615ea34d54348d5d87033a545b6362
-
SHA512
9a96bb6e45fcafe54376b3c923c5db4f71651832bc42897218511b87bbb15bacfafb9059a378d37022fe19b5dff6b78e8013b14262ab907f6d4bc0b051a365fb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cka.com.sg - Port:
587 - Username:
[email protected] - Password:
agnescka82
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/4300-135-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation PO.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Officex = "C:\\Users\\Admin\\AppData\\Roaming\\Officex\\Officex.exe" PO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 2480 set thread context of 4300 2480 PO.exe PO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
PO.exePO.exepid process 2480 PO.exe 2480 PO.exe 2480 PO.exe 4300 PO.exe 4300 PO.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO.exePO.exedescription pid process Token: SeDebugPrivilege 2480 PO.exe Token: SeDebugPrivilege 4300 PO.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PO.exedescription pid process target process PID 2480 wrote to memory of 544 2480 PO.exe schtasks.exe PID 2480 wrote to memory of 544 2480 PO.exe schtasks.exe PID 2480 wrote to memory of 544 2480 PO.exe schtasks.exe PID 2480 wrote to memory of 1368 2480 PO.exe PO.exe PID 2480 wrote to memory of 1368 2480 PO.exe PO.exe PID 2480 wrote to memory of 1368 2480 PO.exe PO.exe PID 2480 wrote to memory of 4300 2480 PO.exe PO.exe PID 2480 wrote to memory of 4300 2480 PO.exe PO.exe PID 2480 wrote to memory of 4300 2480 PO.exe PO.exe PID 2480 wrote to memory of 4300 2480 PO.exe PO.exe PID 2480 wrote to memory of 4300 2480 PO.exe PO.exe PID 2480 wrote to memory of 4300 2480 PO.exe PO.exe PID 2480 wrote to memory of 4300 2480 PO.exe PO.exe PID 2480 wrote to memory of 4300 2480 PO.exe PO.exe -
outlook_office_path 1 IoCs
Processes:
PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe -
outlook_win_path 1 IoCs
Processes:
PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SWEYXGLydrrF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB7B.tmp"2⤵
- Creates scheduled task(s)
PID:544 -
C:\Users\Admin\AppData\Local\Temp\PO.exe"{path}"2⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PO.exe.logFilesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
C:\Users\Admin\AppData\Local\Temp\tmpDB7B.tmpFilesize
1KB
MD5f4072566f36072a45f45a17b25b14850
SHA1d33d769ea374aaefd7d06c52b280c72c6bde179a
SHA25618f0925c1f82c9aaae227dbce2f7aab28df54746ca1eeb980571a63191b7a62e
SHA512d9a9674188ccd1fe99a321cdf53ac4ae073a0dbca7775f2abee73cfcbc642a2e4ea936ea2c11f15c70d6ab02cb6c2f99da139d09efd05c34e9a7d65019a44432
-
memory/544-131-0x0000000000000000-mapping.dmp
-
memory/1368-133-0x0000000000000000-mapping.dmp
-
memory/2480-130-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/4300-134-0x0000000000000000-mapping.dmp
-
memory/4300-135-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4300-137-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB