Analysis
-
max time kernel
118s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:39
Static task
static1
Behavioral task
behavioral1
Sample
Doc Remit.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Doc Remit.exe
Resource
win10v2004-20220414-en
General
-
Target
Doc Remit.exe
-
Size
494KB
-
MD5
312a5ef698dcbf3bdaa1fd1b7dceb890
-
SHA1
8bd85170dd1c57747f9635b23a79d389574fc7d9
-
SHA256
a7f10ee02c982acfcb3baf5970fe366d6583dfb0c8c27b20cdf00a2a7d103bc3
-
SHA512
c52a31a924501ba1541649e69c4bfbf30762239c953c41ffd54b44a0a33775f4bf6f04e79d51df8200545034094550a6ea46e5e4511421a513bbd412b1a3430e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.starmakertravel.com - Port:
587 - Username:
smt@starmakertravel.com - Password:
admin2000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/856-64-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/856-63-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/856-65-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/856-66-0x000000000044B0EE-mapping.dmp family_agenttesla behavioral1/memory/856-68-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/856-70-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Doc Remit.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Doc Remit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Doc Remit.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Doc Remit.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Doc Remit.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Doc Remit.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Doc Remit.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Doc Remit.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Doc Remit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Doc Remit.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Doc Remit.exedescription pid process target process PID 1676 set thread context of 856 1676 Doc Remit.exe Doc Remit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Doc Remit.exeDoc Remit.exepid process 1676 Doc Remit.exe 856 Doc Remit.exe 856 Doc Remit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Doc Remit.exeDoc Remit.exedescription pid process Token: SeDebugPrivilege 1676 Doc Remit.exe Token: SeDebugPrivilege 856 Doc Remit.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Doc Remit.exepid process 856 Doc Remit.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Doc Remit.exeDoc Remit.exedescription pid process target process PID 1676 wrote to memory of 1792 1676 Doc Remit.exe schtasks.exe PID 1676 wrote to memory of 1792 1676 Doc Remit.exe schtasks.exe PID 1676 wrote to memory of 1792 1676 Doc Remit.exe schtasks.exe PID 1676 wrote to memory of 1792 1676 Doc Remit.exe schtasks.exe PID 1676 wrote to memory of 856 1676 Doc Remit.exe Doc Remit.exe PID 1676 wrote to memory of 856 1676 Doc Remit.exe Doc Remit.exe PID 1676 wrote to memory of 856 1676 Doc Remit.exe Doc Remit.exe PID 1676 wrote to memory of 856 1676 Doc Remit.exe Doc Remit.exe PID 1676 wrote to memory of 856 1676 Doc Remit.exe Doc Remit.exe PID 1676 wrote to memory of 856 1676 Doc Remit.exe Doc Remit.exe PID 1676 wrote to memory of 856 1676 Doc Remit.exe Doc Remit.exe PID 1676 wrote to memory of 856 1676 Doc Remit.exe Doc Remit.exe PID 1676 wrote to memory of 856 1676 Doc Remit.exe Doc Remit.exe PID 856 wrote to memory of 1964 856 Doc Remit.exe netsh.exe PID 856 wrote to memory of 1964 856 Doc Remit.exe netsh.exe PID 856 wrote to memory of 1964 856 Doc Remit.exe netsh.exe PID 856 wrote to memory of 1964 856 Doc Remit.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Doc Remit.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Doc Remit.exe -
outlook_win_path 1 IoCs
Processes:
Doc Remit.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Doc Remit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc Remit.exe"C:\Users\Admin\AppData\Local\Temp\Doc Remit.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mNqORvGmYWf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD2B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Doc Remit.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD2B.tmpFilesize
1KB
MD59b9e4eba5c4e081a8d2bd50430e13a2e
SHA1671c3e816ffd72a630a5a8ac32f520c427689487
SHA256432764590c7b68da488701a6b239dfe93538ed4a83a5ae0ae7bf650514d3e642
SHA51242f4cf8e6eef8daf23f3c9481254e6a1051c49ca3afb3d74ab0cd6785b0b6c5abcdfeec34d4e2ae6c854be10a7127099303e7776037165956687c09a5f69ba50
-
memory/856-63-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/856-66-0x000000000044B0EE-mapping.dmp
-
memory/856-70-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/856-68-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/856-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/856-60-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/856-61-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/856-64-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1676-54-0x0000000000190000-0x0000000000212000-memory.dmpFilesize
520KB
-
memory/1676-55-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB
-
memory/1676-56-0x0000000000340000-0x0000000000348000-memory.dmpFilesize
32KB
-
memory/1676-57-0x00000000023A0000-0x00000000023F8000-memory.dmpFilesize
352KB
-
memory/1792-58-0x0000000000000000-mapping.dmp
-
memory/1964-72-0x0000000000000000-mapping.dmp