Overview

overview

10

Static

static

Purchase order.exe

windows7-x64

10

Purchase order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    89s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2022 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase order.exe

  • Size

    744KB

  • MD5

    24b0be710ed42b1ec10224db8db55bf6

  • SHA1

    597bce6e93351125632e9b92fb2ca35fca8bc75d

  • SHA256

    89823f7c472a09c6062578082579da7f8cdb093c99de1a7c92aafa5d741c7316

  • SHA512

    810fb68f0199f3bf35b7e8894b9a978ad4533de9a9b8c6d0e39e260688ae77c6f922a71557f0812fdb815951500d6712eb16d6cae847701c5e0aec9e91af3bd4

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:824
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zwLLFjVv.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:944
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zwLLFjVv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD97E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1096
    • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD97E.tmp
    Filesize

    1KB

    MD5

    588bdf7a404acf9d31aba60a284fc4fd

    SHA1

    92aaad6423b3c57b67a08272bc6e5fc3af4cbcdd

    SHA256

    d70923db05277982adb1cf74b40c5196c2f46e84a8f69b8159997c85026610cb

    SHA512

    0ecf17e6980902351baa60c252e2d90ba6a84703514d66674e3bc39630d55df10357f4a373da24034cfc6188fafa27cfb818a3ccf4d9803dda6531004ea14a29

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    177b21b006be77140f7a33dc626ab599

    SHA1

    84740b0f7b94134dab43a48efd1d08b2176363f1

    SHA256

    e381193f08640feb40ae435d5c2369888c16e44b10eb8f59b8b77aa44adc8d0a

    SHA512

    2ae75b3bec9e79d9482f37ba53cb57846deeb51c33d92bc6386cd2d728154863f019fac9cea2ef35e376f5968a694d0279018fbeb8f9de6746397a74718e5aae

    Download Submit
  • memory/824-82-0x000000006ECD0000-0x000000006F27B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/824-80-0x000000006ECD0000-0x000000006F27B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/824-59-0x0000000000000000-mapping.dmp
    Download
  • memory/944-81-0x000000006ECD0000-0x000000006F27B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/944-79-0x000000006ECD0000-0x000000006F27B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/944-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1096-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1148-72-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1148-73-0x0000000000435CCE-mapping.dmp
    Download
  • memory/1148-68-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1148-67-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1148-70-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1148-71-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1148-77-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1148-75-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1908-66-0x0000000004C00000-0x0000000004C3C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1908-54-0x0000000000C20000-0x0000000000CE0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/1908-58-0x0000000005330000-0x00000000053A2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1908-57-0x00000000004D0000-0x00000000004DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1908-56-0x0000000000360000-0x000000000037E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1908-55-0x0000000076321000-0x0000000076323000-memory.dmp
    Filesize

    8KB

    Download