Analysis
-
max time kernel
184s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:47
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v2004-20220414-en
General
-
Target
SOA.exe
-
Size
394KB
-
MD5
fa27473a151b9bd5302c23bfab809b7f
-
SHA1
65ed59245eb03563745b3508afb7b142221bacac
-
SHA256
1b69bce4e5b7966a2bdc844ac33899746692b7fef019019c08986f295eb7d001
-
SHA512
8845edd5fd6a82f05bce1df6c76d69a6b7ae127932cde8849e720d48b4f7e4fc1cf9abaac729f10cb7f2821ab5ba491a7ae8f0f28a18625751e26dcb9fba880c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.actionassist.co.uk - Port:
587 - Username:
sales@actionassist.co.uk - Password:
benjamin76
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/300-64-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/300-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/300-65-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/300-66-0x0000000000447F0E-mapping.dmp family_agenttesla behavioral1/memory/300-68-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/300-70-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SOA.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SOA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SOA.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SOA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SOA.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SOA.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SOA.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SOA.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SOA.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 SOA.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA.exedescription pid process target process PID 1672 set thread context of 300 1672 SOA.exe SOA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
SOA.exeSOA.exepid process 1672 SOA.exe 1672 SOA.exe 1672 SOA.exe 1672 SOA.exe 1672 SOA.exe 1672 SOA.exe 1672 SOA.exe 1672 SOA.exe 1672 SOA.exe 300 SOA.exe 300 SOA.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SOA.exeSOA.exedescription pid process Token: SeDebugPrivilege 1672 SOA.exe Token: SeDebugPrivilege 300 SOA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SOA.exepid process 300 SOA.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
SOA.exedescription pid process target process PID 1672 wrote to memory of 1996 1672 SOA.exe schtasks.exe PID 1672 wrote to memory of 1996 1672 SOA.exe schtasks.exe PID 1672 wrote to memory of 1996 1672 SOA.exe schtasks.exe PID 1672 wrote to memory of 1996 1672 SOA.exe schtasks.exe PID 1672 wrote to memory of 592 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 592 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 592 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 592 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 520 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 520 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 520 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 520 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 1456 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 1456 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 1456 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 1456 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 588 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 588 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 588 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 588 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 300 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 300 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 300 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 300 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 300 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 300 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 300 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 300 1672 SOA.exe SOA.exe PID 1672 wrote to memory of 300 1672 SOA.exe SOA.exe -
outlook_office_path 1 IoCs
Processes:
SOA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SOA.exe -
outlook_win_path 1 IoCs
Processes:
SOA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SOA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\spolFYTfOzDc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6365.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6365.tmpFilesize
1KB
MD5ffe52ea562751a78fb32024c449f2771
SHA1556865a6fe6f0b2929dcfda8e5f7c6e0f1624f1f
SHA256e3e16ee2ea59d52d885fade18f1f5cf7265fe368a123d3b53d92dcbde1c3de7e
SHA51251e167099ef3240a6b0d53b9fbbe04913f996558c7baecd995d1635e12e754e2b487484cdd77e5ad819aab44e1b26e7bb393092fce1cd14d413d870dac0e0942
-
memory/300-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/300-60-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/300-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/300-64-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/300-65-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/300-66-0x0000000000447F0E-mapping.dmp
-
memory/300-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/300-70-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1672-56-0x0000000000390000-0x0000000000398000-memory.dmpFilesize
32KB
-
memory/1672-57-0x0000000000550000-0x00000000005A4000-memory.dmpFilesize
336KB
-
memory/1672-55-0x0000000075371000-0x0000000075373000-memory.dmpFilesize
8KB
-
memory/1672-54-0x00000000008C0000-0x0000000000928000-memory.dmpFilesize
416KB
-
memory/1996-58-0x0000000000000000-mapping.dmp