Analysis
-
max time kernel
98s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:25
Static task
static1
Behavioral task
behavioral1
Sample
RFQ #10072020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ #10072020.exe
Resource
win10v2004-20220414-en
General
-
Target
RFQ #10072020.exe
-
Size
574KB
-
MD5
faf8fa16db367aee00c9529e044207eb
-
SHA1
1ddd4c28cee94eb71245e9b7958653beb6558a93
-
SHA256
5c2ad1b9bc4c16fce888a0cf989f0c6885de81d0753d8863c7cf1de604c4c8e6
-
SHA512
eef35a9e647182f7adb7d93ef5c3d67fc4702bfa630614d6ed026f0465f8db68ff51bc6d6e607b52bfd3459c3bda7b9e2b54c43dd60ed95b803868c2ebb9fbd9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mdist.us - Port:
587 - Username:
receiving@mdist.us - Password:
Receiving#4321
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2512-137-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RFQ #10072020.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation RFQ #10072020.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ #10072020.exedescription pid process target process PID 4544 set thread context of 2512 4544 RFQ #10072020.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RFQ #10072020.exeRegSvcs.exepid process 4544 RFQ #10072020.exe 2512 RegSvcs.exe 2512 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ #10072020.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4544 RFQ #10072020.exe Token: SeDebugPrivilege 2512 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
RFQ #10072020.exeRegSvcs.exedescription pid process target process PID 4544 wrote to memory of 3432 4544 RFQ #10072020.exe schtasks.exe PID 4544 wrote to memory of 3432 4544 RFQ #10072020.exe schtasks.exe PID 4544 wrote to memory of 3432 4544 RFQ #10072020.exe schtasks.exe PID 4544 wrote to memory of 2512 4544 RFQ #10072020.exe RegSvcs.exe PID 4544 wrote to memory of 2512 4544 RFQ #10072020.exe RegSvcs.exe PID 4544 wrote to memory of 2512 4544 RFQ #10072020.exe RegSvcs.exe PID 4544 wrote to memory of 2512 4544 RFQ #10072020.exe RegSvcs.exe PID 4544 wrote to memory of 2512 4544 RFQ #10072020.exe RegSvcs.exe PID 4544 wrote to memory of 2512 4544 RFQ #10072020.exe RegSvcs.exe PID 4544 wrote to memory of 2512 4544 RFQ #10072020.exe RegSvcs.exe PID 4544 wrote to memory of 2512 4544 RFQ #10072020.exe RegSvcs.exe PID 2512 wrote to memory of 3620 2512 RegSvcs.exe REG.exe PID 2512 wrote to memory of 3620 2512 RegSvcs.exe REG.exe PID 2512 wrote to memory of 3620 2512 RegSvcs.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ #10072020.exe"C:\Users\Admin\AppData\Local\Temp\RFQ #10072020.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCRnNgb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D47.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3D47.tmpFilesize
1KB
MD5c172f434dd51c06c4e261c953afdf929
SHA17199e8c2d2ac35081e63acfcc4beaffd7acdadea
SHA256bdea765dafd8dbffd04d89b5611f595aa24dde2cdb35fb799e260580242370ca
SHA5129975d21d8504bb78d770a031321f2ad98cfd189745147799f673b592e63445a4e21dc02603093b257b1af07d4171d57f5ecc808828796d293ea032aa00b1a160
-
memory/2512-136-0x0000000000000000-mapping.dmp
-
memory/2512-137-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2512-138-0x00000000066C0000-0x0000000006726000-memory.dmpFilesize
408KB
-
memory/2512-139-0x0000000006DD0000-0x0000000006E20000-memory.dmpFilesize
320KB
-
memory/2512-141-0x0000000006ED0000-0x0000000006EDA000-memory.dmpFilesize
40KB
-
memory/3432-134-0x0000000000000000-mapping.dmp
-
memory/3620-140-0x0000000000000000-mapping.dmp
-
memory/4544-130-0x00000000005A0000-0x0000000000636000-memory.dmpFilesize
600KB
-
memory/4544-131-0x0000000007A70000-0x0000000008014000-memory.dmpFilesize
5.6MB
-
memory/4544-132-0x0000000007560000-0x00000000075F2000-memory.dmpFilesize
584KB
-
memory/4544-133-0x0000000008550000-0x00000000085EC000-memory.dmpFilesize
624KB