Analysis
-
max time kernel
113s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:19
General
-
Target
Payment Invoice.exe
-
Size
556KB
-
MD5
53ec9b92d822d12887d144d5e2066bef
-
SHA1
ef55bbcab42a3ef5ee0070adf2b1c176dfeea4d0
-
SHA256
1a32b479225283f435fe37ea7490bd319063d0cbf88ba6845821aa4eadbbdc91
-
SHA512
6685ca80b210e740bac3a0910c803b27dac2840a9b17c24dd0256b8afbce7cbb063b713e63f488179979e118434ca8ea49f542f414e1c402f71462897f705d7b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
mmm777
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AThqfIDLqoF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9760.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9760.tmpFilesize
1KB
MD554d91b07afd42653bac3e75140ee3a8a
SHA17a3350a26def23633b93ff34497835b527d592c0
SHA256b956e4d2398345fee590d005b62057b6e137cbd15d9c4a35af1b76d223a6546d
SHA5120be2a7cc430319501b2570285954618ac7909435ee51f9a627e65cdfc00ac147358774cf3277d31e997f7f4aeec91ab1ecf8d4ab8bd0d7f4ecd599ee0c0f1475
-
memory/1392-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-58-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-64-0x000000000044775E-mapping.dmp
-
memory/1392-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-70-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/1500-56-0x0000000000000000-mapping.dmp
-
memory/1928-55-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/1928-54-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB