Analysis
-
max time kernel
134s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:29
Static task
static1
Behavioral task
behavioral1
Sample
DOC.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOC.exe
Resource
win10v2004-20220414-en
General
-
Target
DOC.exe
-
Size
421KB
-
MD5
1a686ae23aa093aaa8df66976f9c5a80
-
SHA1
f4d09430ff28c32189a81ffb97dfcb5501ab5cbb
-
SHA256
09d29a5604548a4d0fafd678d658d78ca9cd38121159b4abc55fed249bc08c06
-
SHA512
e1ce657e3988ab09e27518749c303652f0307499421bd6b09b6bc4a0fd9c5b1ce19baebbaa7bf43259cc48ee6a52b5d4baaa72b20e130e85b68bde81933d23d3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mytecheng.com - Port:
587 - Username:
services@mytecheng.com - Password:
Pakistan@321
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-65-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/2032-63-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/2032-67-0x000000000044734E-mapping.dmp family_agenttesla behavioral1/memory/2032-66-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/2032-69-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/2032-71-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
DOC.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts DOC.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DOC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOC.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOC.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DOC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" DOC.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOC.exedescription pid process target process PID 288 set thread context of 2032 288 DOC.exe DOC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DOC.exeDOC.exepid process 288 DOC.exe 288 DOC.exe 2032 DOC.exe 2032 DOC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DOC.exeDOC.exedescription pid process Token: SeDebugPrivilege 288 DOC.exe Token: SeDebugPrivilege 2032 DOC.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
DOC.exeDOC.exedescription pid process target process PID 288 wrote to memory of 1704 288 DOC.exe schtasks.exe PID 288 wrote to memory of 1704 288 DOC.exe schtasks.exe PID 288 wrote to memory of 1704 288 DOC.exe schtasks.exe PID 288 wrote to memory of 1704 288 DOC.exe schtasks.exe PID 288 wrote to memory of 1188 288 DOC.exe DOC.exe PID 288 wrote to memory of 1188 288 DOC.exe DOC.exe PID 288 wrote to memory of 1188 288 DOC.exe DOC.exe PID 288 wrote to memory of 1188 288 DOC.exe DOC.exe PID 288 wrote to memory of 2032 288 DOC.exe DOC.exe PID 288 wrote to memory of 2032 288 DOC.exe DOC.exe PID 288 wrote to memory of 2032 288 DOC.exe DOC.exe PID 288 wrote to memory of 2032 288 DOC.exe DOC.exe PID 288 wrote to memory of 2032 288 DOC.exe DOC.exe PID 288 wrote to memory of 2032 288 DOC.exe DOC.exe PID 288 wrote to memory of 2032 288 DOC.exe DOC.exe PID 288 wrote to memory of 2032 288 DOC.exe DOC.exe PID 288 wrote to memory of 2032 288 DOC.exe DOC.exe PID 2032 wrote to memory of 2040 2032 DOC.exe REG.exe PID 2032 wrote to memory of 2040 2032 DOC.exe REG.exe PID 2032 wrote to memory of 2040 2032 DOC.exe REG.exe PID 2032 wrote to memory of 2040 2032 DOC.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
DOC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOC.exe -
outlook_win_path 1 IoCs
Processes:
DOC.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DOC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC.exe"C:\Users\Admin\AppData\Local\Temp\DOC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKJVfcE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E4B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DOC.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\DOC.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1E4B.tmpFilesize
1KB
MD54b56ee96b191812649e3bb62b2a6b29e
SHA1bf05224d893ebfb9d09e5607845f7a30c7ed75d8
SHA2560fa30b0da8f6ad08d9c34be5a1ed5db98e962fe3f4ed53431ed09bd4b965359f
SHA512dd0190466a102af394950c60498aaaccd0e297d560ed5fb8d0415031e6f9dc45759703514abd2464a38f011ed01715f5fd937d895ad9228bad4318b3582aea8f
-
memory/288-54-0x0000000000CF0000-0x0000000000D60000-memory.dmpFilesize
448KB
-
memory/288-55-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/288-56-0x00000000004B0000-0x00000000004B8000-memory.dmpFilesize
32KB
-
memory/288-57-0x0000000000C40000-0x0000000000C98000-memory.dmpFilesize
352KB
-
memory/1704-58-0x0000000000000000-mapping.dmp
-
memory/2032-60-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2032-61-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2032-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2032-63-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2032-67-0x000000000044734E-mapping.dmp
-
memory/2032-66-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2032-69-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2032-71-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2040-73-0x0000000000000000-mapping.dmp