Analysis
-
max time kernel
144s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:47
Static task
static1
Behavioral task
behavioral1
Sample
NEW PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEW PO.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
PO.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
PO.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Quote for 20FT Tank Containers CYPRUSx.pdf
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Quote for 20FT Tank Containers CYPRUSx.pdf
Resource
win10v2004-20220414-en
General
-
Target
NEW PO.exe
-
Size
552KB
-
MD5
a6da76fa51f029d56650a892efc0f353
-
SHA1
1e23cde32f44ea7e2eb4a23248a8c7d40b595e2c
-
SHA256
80f41a09d12356205262bb77b16daeaf2a284a89fd737b042149a4207f16c702
-
SHA512
a1b4d0ca8066f83453004eac7e73baf94575d4af45f2a00c1fe42bff70a8375105a685efecad2c52604ecf3b5e9300650588fdaf9cb1330e00ba00795b5832b9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cka.com.sg - Port:
587 - Username:
agnes@cka.com.sg - Password:
agnescka82
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-61-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral1/memory/1280-62-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral1/memory/1280-63-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral1/memory/1280-64-0x00000000004455CE-mapping.dmp family_agenttesla behavioral1/memory/1280-66-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral1/memory/1280-68-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
NEW PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW PO.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW PO.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW PO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEW PO.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Officex = "C:\\Users\\Admin\\AppData\\Roaming\\Officex\\Officex.exe" NEW PO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEW PO.exedescription pid process target process PID 604 set thread context of 1280 604 NEW PO.exe NEW PO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
NEW PO.exeNEW PO.exepid process 604 NEW PO.exe 604 NEW PO.exe 1280 NEW PO.exe 1280 NEW PO.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEW PO.exeNEW PO.exedescription pid process Token: SeDebugPrivilege 604 NEW PO.exe Token: SeDebugPrivilege 1280 NEW PO.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NEW PO.exepid process 1280 NEW PO.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
NEW PO.exedescription pid process target process PID 604 wrote to memory of 2016 604 NEW PO.exe schtasks.exe PID 604 wrote to memory of 2016 604 NEW PO.exe schtasks.exe PID 604 wrote to memory of 2016 604 NEW PO.exe schtasks.exe PID 604 wrote to memory of 2016 604 NEW PO.exe schtasks.exe PID 604 wrote to memory of 1748 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1748 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1748 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1748 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1280 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1280 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1280 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1280 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1280 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1280 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1280 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1280 604 NEW PO.exe NEW PO.exe PID 604 wrote to memory of 1280 604 NEW PO.exe NEW PO.exe -
outlook_office_path 1 IoCs
Processes:
NEW PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW PO.exe -
outlook_win_path 1 IoCs
Processes:
NEW PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW PO.exe"C:\Users\Admin\AppData\Local\Temp\NEW PO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FdQjxu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E2C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\NEW PO.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\NEW PO.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1E2C.tmpFilesize
1KB
MD53d0afed50de927d957678d68f143d8bc
SHA19bc3171f7f3a2c99a04a1c2ca0fc23a0f0b1dc8c
SHA256b7f5380b5a397000c1d684f22fa3511a0277bc72f64ab2eba038549d8defaeb2
SHA51294fdbd37f9a488db0c0fc24f1b3de35c728cf1ddcc98d187ebba40564f1b2d45cad311cfced04c18e3aa374446906def8d579419b93c8a8fb146ff5546b2525c
-
memory/604-55-0x00000000740E0000-0x000000007468B000-memory.dmpFilesize
5.7MB
-
memory/604-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1280-61-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1280-58-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1280-59-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1280-62-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1280-63-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1280-64-0x00000000004455CE-mapping.dmp
-
memory/1280-66-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1280-68-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1280-70-0x0000000074070000-0x000000007461B000-memory.dmpFilesize
5.7MB
-
memory/2016-56-0x0000000000000000-mapping.dmp