Analysis
-
max time kernel
113s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:52
Static task
static1
Behavioral task
behavioral1
Sample
PO 28602....A6hBbL7xL4Jle4w.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO 28602....A6hBbL7xL4Jle4w.exe
Resource
win10v2004-20220414-en
General
-
Target
PO 28602....A6hBbL7xL4Jle4w.exe
-
Size
444KB
-
MD5
82c88bfa469dbc588304b5f8787fef8f
-
SHA1
d1bd337791addb1151c5369b5d2922d2e30524ea
-
SHA256
5eabdc9b1c948d59d99a9a19e6007c36b3fc7bb21dbcb654e73f64a20d6a6aec
-
SHA512
7e415174d2ffe8f5925778ab59212cd52746a673dbba2d53b7538615bb103aa11ec17acbb8ce6a4c910d8d46e194f75a98c43f50095290995fc1c684dd97e53e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
logs2020@gtbenk-plc.com - Password:
mkoify147@@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1532-56-0x00000000004F0000-0x00000000004F8000-memory.dmp coreentity -
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1720-63-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1720-64-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1720-65-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1720-66-0x000000000044C7FE-mapping.dmp family_agenttesla behavioral1/memory/1720-68-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1720-70-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/1532-54-0x0000000000360000-0x00000000003D6000-memory.dmp coreccc -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1532-57-0x0000000004480000-0x00000000044D8000-memory.dmp rezer0 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO 28602....A6hBbL7xL4Jle4w.exedescription pid process target process PID 1532 set thread context of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
PO 28602....A6hBbL7xL4Jle4w.exeRegSvcs.exepid process 1532 PO 28602....A6hBbL7xL4Jle4w.exe 1532 PO 28602....A6hBbL7xL4Jle4w.exe 1532 PO 28602....A6hBbL7xL4Jle4w.exe 1532 PO 28602....A6hBbL7xL4Jle4w.exe 1532 PO 28602....A6hBbL7xL4Jle4w.exe 1720 RegSvcs.exe 1720 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO 28602....A6hBbL7xL4Jle4w.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1532 PO 28602....A6hBbL7xL4Jle4w.exe Token: SeDebugPrivilege 1720 RegSvcs.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
PO 28602....A6hBbL7xL4Jle4w.exeRegSvcs.exedescription pid process target process PID 1532 wrote to memory of 988 1532 PO 28602....A6hBbL7xL4Jle4w.exe schtasks.exe PID 1532 wrote to memory of 988 1532 PO 28602....A6hBbL7xL4Jle4w.exe schtasks.exe PID 1532 wrote to memory of 988 1532 PO 28602....A6hBbL7xL4Jle4w.exe schtasks.exe PID 1532 wrote to memory of 988 1532 PO 28602....A6hBbL7xL4Jle4w.exe schtasks.exe PID 1532 wrote to memory of 1756 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1756 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1756 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1756 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1756 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1756 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1756 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1732 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1732 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1732 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1732 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1732 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1732 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1732 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1532 wrote to memory of 1720 1532 PO 28602....A6hBbL7xL4Jle4w.exe RegSvcs.exe PID 1720 wrote to memory of 1196 1720 RegSvcs.exe netsh.exe PID 1720 wrote to memory of 1196 1720 RegSvcs.exe netsh.exe PID 1720 wrote to memory of 1196 1720 RegSvcs.exe netsh.exe PID 1720 wrote to memory of 1196 1720 RegSvcs.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 28602....A6hBbL7xL4Jle4w.exe"C:\Users\Admin\AppData\Local\Temp\PO 28602....A6hBbL7xL4Jle4w.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rluahzGlVOkvwh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7753.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7753.tmpFilesize
1KB
MD50d3b8cdce3fe1923781f6f7908fc4da1
SHA1e87709405e67195dc691976251c99c23185238dc
SHA2568fa2556f482cf77ee54d61e698e2b1b8bbe60875bc32e0d500c8ea78b4682a25
SHA51274ecabd578c858c971a5196eba046b7436f7c6d9bba236676a5d0f4880dff3c76b5bd6f218b0b6db6f9e64597afbf5b170281aed1d9107bd152370d9317846b8
-
memory/988-58-0x0000000000000000-mapping.dmp
-
memory/1196-72-0x0000000000000000-mapping.dmp
-
memory/1532-55-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1532-56-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/1532-57-0x0000000004480000-0x00000000044D8000-memory.dmpFilesize
352KB
-
memory/1532-54-0x0000000000360000-0x00000000003D6000-memory.dmpFilesize
472KB
-
memory/1720-60-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1720-63-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1720-64-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1720-65-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1720-66-0x000000000044C7FE-mapping.dmp
-
memory/1720-68-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1720-70-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1720-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB