Analysis
-
max time kernel
205s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:50
Static task
static1
Behavioral task
behavioral1
Sample
INV#NO.12KF61.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
INV#NO.12KF61.exe
Resource
win10v2004-20220414-en
General
-
Target
INV#NO.12KF61.exe
-
Size
621KB
-
MD5
9d2482666eb2b88666a0d8ef8f103b7d
-
SHA1
7c2a5b3606803049eedf92bdd184c601b22a46cb
-
SHA256
3c165962ade84ada408c62730f36f4885ceede2f15aaa3de5e0f2d20fa204eb8
-
SHA512
13f7e932db8725d0c9eb6b634a52f87fe10d2ea534e8499e902d82ea5382118df4b37de40578c73782a95ba0488d044425e011a29535aab2bdde8f2eae17588a
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1776-141-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
taplitf.exeInstallUtil.exepid process 1032 taplitf.exe 1776 InstallUtil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INV#NO.12KF61.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation INV#NO.12KF61.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpplictthjk = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\taplitf.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
taplitf.exedescription pid process target process PID 1032 set thread context of 1776 1032 taplitf.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
INV#NO.12KF61.exetaplitf.exeInstallUtil.exepid process 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 988 INV#NO.12KF61.exe 1032 taplitf.exe 1032 taplitf.exe 1032 taplitf.exe 1776 InstallUtil.exe 1776 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
INV#NO.12KF61.exetaplitf.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 988 INV#NO.12KF61.exe Token: SeDebugPrivilege 1032 taplitf.exe Token: SeDebugPrivilege 1776 InstallUtil.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
INV#NO.12KF61.execmd.exetaplitf.exedescription pid process target process PID 988 wrote to memory of 4448 988 INV#NO.12KF61.exe cmd.exe PID 988 wrote to memory of 4448 988 INV#NO.12KF61.exe cmd.exe PID 988 wrote to memory of 4448 988 INV#NO.12KF61.exe cmd.exe PID 4448 wrote to memory of 4340 4448 cmd.exe reg.exe PID 4448 wrote to memory of 4340 4448 cmd.exe reg.exe PID 4448 wrote to memory of 4340 4448 cmd.exe reg.exe PID 988 wrote to memory of 1032 988 INV#NO.12KF61.exe taplitf.exe PID 988 wrote to memory of 1032 988 INV#NO.12KF61.exe taplitf.exe PID 988 wrote to memory of 1032 988 INV#NO.12KF61.exe taplitf.exe PID 1032 wrote to memory of 1776 1032 taplitf.exe InstallUtil.exe PID 1032 wrote to memory of 1776 1032 taplitf.exe InstallUtil.exe PID 1032 wrote to memory of 1776 1032 taplitf.exe InstallUtil.exe PID 1032 wrote to memory of 1776 1032 taplitf.exe InstallUtil.exe PID 1032 wrote to memory of 1776 1032 taplitf.exe InstallUtil.exe PID 1032 wrote to memory of 1776 1032 taplitf.exe InstallUtil.exe PID 1032 wrote to memory of 1776 1032 taplitf.exe InstallUtil.exe PID 1032 wrote to memory of 1776 1032 taplitf.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV#NO.12KF61.exe"C:\Users\Admin\AppData\Local\Temp\INV#NO.12KF61.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v hpplictthjk /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\taplitf.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v hpplictthjk /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\taplitf.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\taplitf.exe"C:\Users\Admin\AppData\Roaming\taplitf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Roaming\taplitf.exeFilesize
621KB
MD59d2482666eb2b88666a0d8ef8f103b7d
SHA17c2a5b3606803049eedf92bdd184c601b22a46cb
SHA2563c165962ade84ada408c62730f36f4885ceede2f15aaa3de5e0f2d20fa204eb8
SHA51213f7e932db8725d0c9eb6b634a52f87fe10d2ea534e8499e902d82ea5382118df4b37de40578c73782a95ba0488d044425e011a29535aab2bdde8f2eae17588a
-
C:\Users\Admin\AppData\Roaming\taplitf.exeFilesize
621KB
MD59d2482666eb2b88666a0d8ef8f103b7d
SHA17c2a5b3606803049eedf92bdd184c601b22a46cb
SHA2563c165962ade84ada408c62730f36f4885ceede2f15aaa3de5e0f2d20fa204eb8
SHA51213f7e932db8725d0c9eb6b634a52f87fe10d2ea534e8499e902d82ea5382118df4b37de40578c73782a95ba0488d044425e011a29535aab2bdde8f2eae17588a
-
memory/988-133-0x0000000005A40000-0x0000000005A84000-memory.dmpFilesize
272KB
-
memory/988-130-0x0000000000D30000-0x0000000000DD0000-memory.dmpFilesize
640KB
-
memory/988-132-0x0000000005770000-0x0000000005802000-memory.dmpFilesize
584KB
-
memory/988-131-0x0000000005C40000-0x00000000061E4000-memory.dmpFilesize
5.6MB
-
memory/1032-136-0x0000000000000000-mapping.dmp
-
memory/1032-139-0x0000000006950000-0x0000000006972000-memory.dmpFilesize
136KB
-
memory/1776-140-0x0000000000000000-mapping.dmp
-
memory/1776-141-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1776-144-0x00000000054A0000-0x000000000553C000-memory.dmpFilesize
624KB
-
memory/1776-145-0x00000000059E0000-0x0000000005A46000-memory.dmpFilesize
408KB
-
memory/4340-135-0x0000000000000000-mapping.dmp
-
memory/4448-134-0x0000000000000000-mapping.dmp