Analysis
-
max time kernel
133s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:29
Static task
static1
Behavioral task
behavioral1
Sample
DHL_express_package.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DHL_express_package.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Documents.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Documents.exe
Resource
win10v2004-20220414-en
General
-
Target
Documents.exe
-
Size
568KB
-
MD5
4c4ff89eb2f8ee2fa067a1d017497021
-
SHA1
8d8c62a01d0c3fc189040472ec42aa5171c1c1e4
-
SHA256
726e05271ef6a6781ecd7bd9b130e4621734c991160d820f0fdd61186f5fbd55
-
SHA512
1d2b6dcace4cba63a4cfab4c197286f132ca05b53b2c39c3b3ee60349514b4a2fac61b6e3cbaa61d784b6c7a6d8edb9e48338320c6c3ee8c75a7b225d67a0d2b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mosaiclayouts.com - Port:
587 - Username:
sales@mosaiclayouts.com - Password:
UY$W4+]^+9;)7CF5
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral3/memory/1772-64-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral3/memory/1772-65-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral3/memory/1772-67-0x000000000044797E-mapping.dmp family_agenttesla behavioral3/memory/1772-66-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral3/memory/1772-69-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral3/memory/1772-71-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral3/memory/888-58-0x00000000061B0000-0x0000000006204000-memory.dmp rezer0 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Documents.exedescription pid process target process PID 888 set thread context of 1772 888 Documents.exe Documents.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Documents.exeDocuments.exepid process 888 Documents.exe 888 Documents.exe 1772 Documents.exe 1772 Documents.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Documents.exeDocuments.exedescription pid process Token: SeDebugPrivilege 888 Documents.exe Token: SeDebugPrivilege 1772 Documents.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Documents.exepid process 1772 Documents.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Documents.exedescription pid process target process PID 888 wrote to memory of 1064 888 Documents.exe schtasks.exe PID 888 wrote to memory of 1064 888 Documents.exe schtasks.exe PID 888 wrote to memory of 1064 888 Documents.exe schtasks.exe PID 888 wrote to memory of 1064 888 Documents.exe schtasks.exe PID 888 wrote to memory of 1772 888 Documents.exe Documents.exe PID 888 wrote to memory of 1772 888 Documents.exe Documents.exe PID 888 wrote to memory of 1772 888 Documents.exe Documents.exe PID 888 wrote to memory of 1772 888 Documents.exe Documents.exe PID 888 wrote to memory of 1772 888 Documents.exe Documents.exe PID 888 wrote to memory of 1772 888 Documents.exe Documents.exe PID 888 wrote to memory of 1772 888 Documents.exe Documents.exe PID 888 wrote to memory of 1772 888 Documents.exe Documents.exe PID 888 wrote to memory of 1772 888 Documents.exe Documents.exe -
outlook_office_path 1 IoCs
Processes:
Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents.exe -
outlook_win_path 1 IoCs
Processes:
Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents.exe"C:\Users\Admin\AppData\Local\Temp\Documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tRiFxUPIY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE293.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Documents.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE293.tmpFilesize
1KB
MD5ed4bf834843d140bc2891a04fed0c4f2
SHA19dd5c7c8ed9cbdeda1df723e839a8fa4c16b307d
SHA2565fd12d50831b31ecb5fe3c472ef1db4fb74e3070760ea989c27459ac9d3d4576
SHA512616315270e6cdf948fa328a454eff581209b808d324da61c98ac7cec693657f65f4a82ebb70a239d081a895deec1bacac9cc214a40c98fca962acf68d8c01f83
-
memory/888-57-0x00000000004D0000-0x00000000004D8000-memory.dmpFilesize
32KB
-
memory/888-56-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/888-54-0x0000000001080000-0x0000000001114000-memory.dmpFilesize
592KB
-
memory/888-58-0x00000000061B0000-0x0000000006204000-memory.dmpFilesize
336KB
-
memory/888-55-0x00000000009E0000-0x0000000000A38000-memory.dmpFilesize
352KB
-
memory/1064-59-0x0000000000000000-mapping.dmp
-
memory/1772-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1772-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1772-64-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1772-65-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1772-67-0x000000000044797E-mapping.dmp
-
memory/1772-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1772-69-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1772-71-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB