Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:47
Static task
static1
Behavioral task
behavioral1
Sample
NEW PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEW PO.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
PO.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
PO.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Quote for 20FT Tank Containers CYPRUSx.pdf
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Quote for 20FT Tank Containers CYPRUSx.pdf
Resource
win10v2004-20220414-en
General
-
Target
NEW PO.exe
-
Size
552KB
-
MD5
a6da76fa51f029d56650a892efc0f353
-
SHA1
1e23cde32f44ea7e2eb4a23248a8c7d40b595e2c
-
SHA256
80f41a09d12356205262bb77b16daeaf2a284a89fd737b042149a4207f16c702
-
SHA512
a1b4d0ca8066f83453004eac7e73baf94575d4af45f2a00c1fe42bff70a8375105a685efecad2c52604ecf3b5e9300650588fdaf9cb1330e00ba00795b5832b9
Malware Config
Extracted
Protocol: smtp- Host:
mail.cka.com.sg - Port:
587 - Username:
agnes@cka.com.sg - Password:
agnescka82
Extracted
agenttesla
Protocol: smtp- Host:
mail.cka.com.sg - Port:
587 - Username:
agnes@cka.com.sg - Password:
agnescka82
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1108-134-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEW PO.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation NEW PO.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
NEW PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW PO.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW PO.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW PO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEW PO.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Officex = "C:\\Users\\Admin\\AppData\\Roaming\\Officex\\Officex.exe" NEW PO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEW PO.exedescription pid process target process PID 452 set thread context of 1108 452 NEW PO.exe NEW PO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
NEW PO.exeNEW PO.exepid process 452 NEW PO.exe 1108 NEW PO.exe 1108 NEW PO.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEW PO.exeNEW PO.exedescription pid process Token: SeDebugPrivilege 452 NEW PO.exe Token: SeDebugPrivilege 1108 NEW PO.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NEW PO.exepid process 1108 NEW PO.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
NEW PO.exedescription pid process target process PID 452 wrote to memory of 2552 452 NEW PO.exe schtasks.exe PID 452 wrote to memory of 2552 452 NEW PO.exe schtasks.exe PID 452 wrote to memory of 2552 452 NEW PO.exe schtasks.exe PID 452 wrote to memory of 1108 452 NEW PO.exe NEW PO.exe PID 452 wrote to memory of 1108 452 NEW PO.exe NEW PO.exe PID 452 wrote to memory of 1108 452 NEW PO.exe NEW PO.exe PID 452 wrote to memory of 1108 452 NEW PO.exe NEW PO.exe PID 452 wrote to memory of 1108 452 NEW PO.exe NEW PO.exe PID 452 wrote to memory of 1108 452 NEW PO.exe NEW PO.exe PID 452 wrote to memory of 1108 452 NEW PO.exe NEW PO.exe PID 452 wrote to memory of 1108 452 NEW PO.exe NEW PO.exe -
outlook_office_path 1 IoCs
Processes:
NEW PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW PO.exe -
outlook_win_path 1 IoCs
Processes:
NEW PO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW PO.exe"C:\Users\Admin\AppData\Local\Temp\NEW PO.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FdQjxu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9402.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\NEW PO.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NEW PO.exe.logFilesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
C:\Users\Admin\AppData\Local\Temp\tmp9402.tmpFilesize
1KB
MD53bc915f0953eb4f9de5e851e8c7656c0
SHA12c86d7679e8f0fe62a3995f8c15579a6322270bd
SHA256494d1544a568ecd9920a73f67c5ebe70ba5ee74e72e7e0a7419a6e0b478335ae
SHA5125c446ebe050ff46dfb58826f173e0b0d369de5e182265832c67e3d3c48883ca7d46792cf4e47c78489541c3cb995e0360da5713137056f444e5da1d621bbfd05
-
memory/452-130-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/1108-133-0x0000000000000000-mapping.dmp
-
memory/1108-134-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1108-136-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/2552-131-0x0000000000000000-mapping.dmp