Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
ORDERlist85398pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ORDERlist85398pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
ORDERlist85398pdf.exe
-
Size
522KB
-
MD5
7ad886548166e2b8367171f5f9d22822
-
SHA1
481bac80866886055838cb358528fe0971b1ac3d
-
SHA256
b7482c61434635d571649f327745f55945828178069d73bf9d1bb9298e8de89c
-
SHA512
bc8a37eb67bc8e9ba3c661e757980a3b1aceb204dcd72fc37fe8e309c7893d4f04b5aa695f6378a0628a3ce6f59d3faef3352ce436d343a056722b3b72657ecf
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
secure231.servconfig.com - Port:
587 - Username:
info@eltaef.com - Password:
eltaefSH6548883
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5108-138-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ORDERlist85398pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ORDERlist85398pdf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ORDERlist85398pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERlist85398pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERlist85398pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERlist85398pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ORDERlist85398pdf.exedescription pid process target process PID 3388 set thread context of 5108 3388 ORDERlist85398pdf.exe ORDERlist85398pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ORDERlist85398pdf.exeORDERlist85398pdf.exepid process 3388 ORDERlist85398pdf.exe 5108 ORDERlist85398pdf.exe 5108 ORDERlist85398pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ORDERlist85398pdf.exeORDERlist85398pdf.exedescription pid process Token: SeDebugPrivilege 3388 ORDERlist85398pdf.exe Token: SeDebugPrivilege 5108 ORDERlist85398pdf.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
ORDERlist85398pdf.exeORDERlist85398pdf.exedescription pid process target process PID 3388 wrote to memory of 4612 3388 ORDERlist85398pdf.exe schtasks.exe PID 3388 wrote to memory of 4612 3388 ORDERlist85398pdf.exe schtasks.exe PID 3388 wrote to memory of 4612 3388 ORDERlist85398pdf.exe schtasks.exe PID 3388 wrote to memory of 5108 3388 ORDERlist85398pdf.exe ORDERlist85398pdf.exe PID 3388 wrote to memory of 5108 3388 ORDERlist85398pdf.exe ORDERlist85398pdf.exe PID 3388 wrote to memory of 5108 3388 ORDERlist85398pdf.exe ORDERlist85398pdf.exe PID 3388 wrote to memory of 5108 3388 ORDERlist85398pdf.exe ORDERlist85398pdf.exe PID 3388 wrote to memory of 5108 3388 ORDERlist85398pdf.exe ORDERlist85398pdf.exe PID 3388 wrote to memory of 5108 3388 ORDERlist85398pdf.exe ORDERlist85398pdf.exe PID 3388 wrote to memory of 5108 3388 ORDERlist85398pdf.exe ORDERlist85398pdf.exe PID 3388 wrote to memory of 5108 3388 ORDERlist85398pdf.exe ORDERlist85398pdf.exe PID 5108 wrote to memory of 3424 5108 ORDERlist85398pdf.exe netsh.exe PID 5108 wrote to memory of 3424 5108 ORDERlist85398pdf.exe netsh.exe PID 5108 wrote to memory of 3424 5108 ORDERlist85398pdf.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
ORDERlist85398pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERlist85398pdf.exe -
outlook_win_path 1 IoCs
Processes:
ORDERlist85398pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERlist85398pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDERlist85398pdf.exe"C:\Users\Admin\AppData\Local\Temp\ORDERlist85398pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YotmjbfFRcHWsb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D22.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ORDERlist85398pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8D22.tmpFilesize
1KB
MD5de7bd4f69614127d605e455a36f2940e
SHA1821dc8075de960d6062817e4d7af2f7b932b4e8f
SHA256ac336b4a38c7fc4dbc1d0704829b6f811937987e4cdf536c49cdde90fd26dee6
SHA512100f0ea8a9bb6022edbde68e2d0728e258326d71998dceca3f1c9524e3bded8ebcdf2aa2738dcb2d8eacbdcf5653303431d172ba82c0d9c77aed502df6373a2c
-
memory/3388-130-0x0000000000AC0000-0x0000000000B48000-memory.dmpFilesize
544KB
-
memory/3388-131-0x0000000007F30000-0x00000000084D4000-memory.dmpFilesize
5.6MB
-
memory/3388-132-0x0000000007A20000-0x0000000007AB2000-memory.dmpFilesize
584KB
-
memory/3388-133-0x00000000079C0000-0x00000000079CA000-memory.dmpFilesize
40KB
-
memory/3388-134-0x000000000B4B0000-0x000000000B54C000-memory.dmpFilesize
624KB
-
memory/3424-141-0x0000000000000000-mapping.dmp
-
memory/4612-135-0x0000000000000000-mapping.dmp
-
memory/5108-137-0x0000000000000000-mapping.dmp
-
memory/5108-138-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/5108-139-0x0000000005FC0000-0x0000000006026000-memory.dmpFilesize
408KB
-
memory/5108-140-0x0000000006A10000-0x0000000006A60000-memory.dmpFilesize
320KB