General
Target

documents.exe

Filesize

787KB

Completed

21-05-2022 15:02

Task

behavioral2

Score
10/10
MD5

c2a0577aead47c20d54918758c471247

SHA1

ffc6087cc7e098e74bd5efb3f6971342d5c1f12b

SHA256

0918c0111b97f8a25e9717e9b74a96c85e9f3801e2922bb050e8024edf9adff0

SHA256

1024c14e1fe279887e80b2f4d4b4423ef943bf6355f762b3a24cd6964e2350e77a2e0c43c0478a37fe46a8253f5866e4793dfd7225066e716e6165d623b4c84a

Malware Config

Extracted

Credentials

Protocol: smtp

Host: mail.subnet-group.com

Port: 587

Username: edna@subnet-group.com

Password: cr0cksh1t

Extracted

Family

agenttesla

Credentials

Protocol: smtp

Host: mail.subnet-group.com

Port: 587

Username: edna@subnet-group.com

Password: cr0cksh1t

Email To: eh746746@gmail.com

Signatures 14

Filter: none

Collection
Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • suricata: ET MALWARE AgentTesla Exfil Via SMTP

    Description

    suricata: ET MALWARE AgentTesla Exfil Via SMTP

    Tags

  • Drops file in Drivers directory
    RegSvcs.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsRegSvcs.exe
  • Checks computer location settings
    documents.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nationdocuments.exe
  • Accesses Microsoft Outlook profiles
    RegSvcs.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676RegSvcs.exe
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676RegSvcs.exe
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676RegSvcs.exe
  • Adds Run key to start application
    RegSvcs.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tnpak = "C:\\Users\\Admin\\AppData\\Roaming\\Tnpak\\Tnpak.exe"RegSvcs.exe
  • Suspicious use of SetThreadContext
    documents.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3704 set thread context of 50523704documents.exeRegSvcs.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    3568schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    documents.exepowershell.exeRegSvcs.exe

    Reported IOCs

    pidprocess
    3704documents.exe
    3704documents.exe
    3204powershell.exe
    5052RegSvcs.exe
    5052RegSvcs.exe
    3204powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    documents.exepowershell.exeRegSvcs.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3704documents.exe
    Token: SeDebugPrivilege3204powershell.exe
    Token: SeDebugPrivilege5052RegSvcs.exe
  • Suspicious use of WriteProcessMemory
    documents.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3704 wrote to memory of 32043704documents.exepowershell.exe
    PID 3704 wrote to memory of 32043704documents.exepowershell.exe
    PID 3704 wrote to memory of 32043704documents.exepowershell.exe
    PID 3704 wrote to memory of 35683704documents.exeschtasks.exe
    PID 3704 wrote to memory of 35683704documents.exeschtasks.exe
    PID 3704 wrote to memory of 35683704documents.exeschtasks.exe
    PID 3704 wrote to memory of 50523704documents.exeRegSvcs.exe
    PID 3704 wrote to memory of 50523704documents.exeRegSvcs.exe
    PID 3704 wrote to memory of 50523704documents.exeRegSvcs.exe
    PID 3704 wrote to memory of 50523704documents.exeRegSvcs.exe
    PID 3704 wrote to memory of 50523704documents.exeRegSvcs.exe
    PID 3704 wrote to memory of 50523704documents.exeRegSvcs.exe
    PID 3704 wrote to memory of 50523704documents.exeRegSvcs.exe
    PID 3704 wrote to memory of 50523704documents.exeRegSvcs.exe
  • outlook_office_path
    RegSvcs.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676RegSvcs.exe
  • outlook_win_path
    RegSvcs.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676RegSvcs.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\documents.exe
    "C:\Users\Admin\AppData\Local\Temp\documents.exe"
    Checks computer location settings
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BJmpFHZrxap.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3204
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BJmpFHZrxap" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDB.tmp"
      Creates scheduled task(s)
      PID:3568
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      Drops file in Drivers directory
      Accesses Microsoft Outlook profiles
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:5052
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\tmpDDB.tmp

                    MD5

                    10c946a0a5d67c18931e274f942f3c29

                    SHA1

                    5791ff96438e2ac58d6f0e6069e645661cf5a9d5

                    SHA256

                    9ac9786e61058a774d7323ca160dcf91beb04b0a6ff67e6f494a191919a37eda

                    SHA512

                    9b68c48208de5bb0a66c8e3949ff122995a35d03739dc1257bc508c5c62eb616168c8e54c0139ecb39319a2a22310fa3a8f49670cbe8ab488fa278d62262da21

                  • memory/3204-146-0x0000000007800000-0x0000000007832000-memory.dmp

                  • memory/3204-154-0x0000000007BC0000-0x0000000007BCE000-memory.dmp

                  • memory/3204-152-0x0000000007C10000-0x0000000007CA6000-memory.dmp

                  • memory/3204-151-0x0000000007A00000-0x0000000007A0A000-memory.dmp

                  • memory/3204-150-0x0000000007990000-0x00000000079AA000-memory.dmp

                  • memory/3204-136-0x0000000000000000-mapping.dmp

                  • memory/3204-149-0x0000000007FD0000-0x000000000864A000-memory.dmp

                  • memory/3204-138-0x0000000002D90000-0x0000000002DC6000-memory.dmp

                  • memory/3204-155-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

                  • memory/3204-141-0x0000000005970000-0x0000000005F98000-memory.dmp

                  • memory/3204-148-0x0000000006C30000-0x0000000006C4E000-memory.dmp

                  • memory/3204-147-0x00000000704A0000-0x00000000704EC000-memory.dmp

                  • memory/3204-143-0x00000000055B0000-0x00000000055D2000-memory.dmp

                  • memory/3204-144-0x0000000005850000-0x00000000058B6000-memory.dmp

                  • memory/3204-145-0x0000000006680000-0x000000000669E000-memory.dmp

                  • memory/3204-156-0x0000000007CB0000-0x0000000007CB8000-memory.dmp

                  • memory/3568-137-0x0000000000000000-mapping.dmp

                  • memory/3704-132-0x0000000006F40000-0x0000000006FD2000-memory.dmp

                  • memory/3704-135-0x0000000009C70000-0x0000000009CD6000-memory.dmp

                  • memory/3704-134-0x0000000007280000-0x000000000731C000-memory.dmp

                  • memory/3704-133-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

                  • memory/3704-131-0x0000000007430000-0x00000000079D4000-memory.dmp

                  • memory/3704-130-0x0000000000010000-0x00000000000DA000-memory.dmp

                  • memory/5052-142-0x0000000000400000-0x000000000043A000-memory.dmp

                  • memory/5052-153-0x0000000006D10000-0x0000000006D60000-memory.dmp

                  • memory/5052-140-0x0000000000000000-mapping.dmp