Analysis
-
max time kernel
91s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:12
Static task
static1
Behavioral task
behavioral1
Sample
Payment notification.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment notification.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
Payment notification.exe
-
Size
429KB
-
MD5
add3085642ac7fc63b5fba524f790a5b
-
SHA1
21d4392b1c94fa1e1e8eb292e6216f9dd4dd16d9
-
SHA256
73c5071a6dc5f6d66b800d56b97e6f451d2738aebb2efcacaaab86319392dddb
-
SHA512
8e2dcaf9e4c37ead0412ee3df12ee05b8d1a0ec5a9a661bf0f450eed580803b9823508b5dbaca59148b91a1c6d8699b7f00f59e73fe064721bccef2d4f66a597
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
zstcznz.org - Port:
587 - Username:
makonyo@zstcznz.org - Password:
makonyo@2017
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
zstcznz.org - Port:
587 - Username:
makonyo@zstcznz.org - Password:
makonyo@2017
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2576-133-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment notification.exedescription pid process target process PID 4488 set thread context of 2576 4488 Payment notification.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Payment notification.exeRegSvcs.exepid process 4488 Payment notification.exe 4488 Payment notification.exe 2576 RegSvcs.exe 2576 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment notification.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4488 Payment notification.exe Token: SeDebugPrivilege 2576 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Payment notification.exeRegSvcs.exedescription pid process target process PID 4488 wrote to memory of 3700 4488 Payment notification.exe RegSvcs.exe PID 4488 wrote to memory of 3700 4488 Payment notification.exe RegSvcs.exe PID 4488 wrote to memory of 3700 4488 Payment notification.exe RegSvcs.exe PID 4488 wrote to memory of 2576 4488 Payment notification.exe RegSvcs.exe PID 4488 wrote to memory of 2576 4488 Payment notification.exe RegSvcs.exe PID 4488 wrote to memory of 2576 4488 Payment notification.exe RegSvcs.exe PID 4488 wrote to memory of 2576 4488 Payment notification.exe RegSvcs.exe PID 4488 wrote to memory of 2576 4488 Payment notification.exe RegSvcs.exe PID 4488 wrote to memory of 2576 4488 Payment notification.exe RegSvcs.exe PID 4488 wrote to memory of 2576 4488 Payment notification.exe RegSvcs.exe PID 4488 wrote to memory of 2576 4488 Payment notification.exe RegSvcs.exe PID 2576 wrote to memory of 3952 2576 RegSvcs.exe netsh.exe PID 2576 wrote to memory of 3952 2576 RegSvcs.exe netsh.exe PID 2576 wrote to memory of 3952 2576 RegSvcs.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment notification.exe"C:\Users\Admin\AppData\Local\Temp\Payment notification.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2576-132-0x0000000000000000-mapping.dmp
-
memory/2576-133-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2576-134-0x0000000074780000-0x0000000074D31000-memory.dmpFilesize
5.7MB
-
memory/3700-131-0x0000000000000000-mapping.dmp
-
memory/3952-135-0x0000000000000000-mapping.dmp
-
memory/4488-130-0x0000000074780000-0x0000000074D31000-memory.dmpFilesize
5.7MB