Analysis
-
max time kernel
90s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 13:52
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENTTRF889020022.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PAYMENTTRF889020022.exe
Resource
win10v2004-20220901-en
General
-
Target
PAYMENTTRF889020022.exe
-
Size
355KB
-
MD5
1d00728cbb02b69a8cad3f032be410c8
-
SHA1
a803d959e77cdbec645288fe922d12e6888a209a
-
SHA256
c3fb8b20af40e3a6905a1190d657bd725c241efa3d91d0c0e1546f2b8ae8a2ff
-
SHA512
8858475d2f17f2f6786cbcd33f64bcb1515c931fd095d7d1828b1765dca3d47e454ef961c3ce4e41c9087494530694ede7475c8f31d4d549a9b2d913cc5d7257
-
SSDEEP
6144:HNeZmLE2rXehVTdEMLjtEkzKJg5/mnc52iOu0anAU5hvrBAVGFryDgvMar819nYk:HNl9KhVTtLjmkzufc5D0aBvrXVkgzr85
Malware Config
Extracted
Protocol: ftp- Host:
ftp.collinssaludnatural.com - Port:
21 - Username:
cargo@collinssaludnatural.com - Password:
1Hhzqx^s+8Oe
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.collinssaludnatural.com/ - Port:
21 - Username:
cargo@collinssaludnatural.com - Password:
1Hhzqx^s+8Oe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
bglfezp.execargo bin stub.exepid process 1344 bglfezp.exe 3856 cargo bin stub.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bglfezp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation bglfezp.exe -
Loads dropped DLL 1 IoCs
Processes:
bglfezp.exepid process 1368 bglfezp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
cargo bin stub.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cargo bin stub.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cargo bin stub.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cargo bin stub.exe -
Processes:
bglfezp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bglfezp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bglfezp.exedescription pid process target process PID 1344 set thread context of 1368 1344 bglfezp.exe bglfezp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1556 1344 WerFault.exe bglfezp.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
bglfezp.execargo bin stub.exepid process 1368 bglfezp.exe 1368 bglfezp.exe 1368 bglfezp.exe 1368 bglfezp.exe 1368 bglfezp.exe 1368 bglfezp.exe 3856 cargo bin stub.exe 3856 cargo bin stub.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
bglfezp.exepid process 1368 bglfezp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bglfezp.execargo bin stub.exedescription pid process Token: SeDebugPrivilege 1368 bglfezp.exe Token: SeDebugPrivilege 3856 cargo bin stub.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PAYMENTTRF889020022.exebglfezp.exebglfezp.exedescription pid process target process PID 4396 wrote to memory of 1344 4396 PAYMENTTRF889020022.exe bglfezp.exe PID 4396 wrote to memory of 1344 4396 PAYMENTTRF889020022.exe bglfezp.exe PID 4396 wrote to memory of 1344 4396 PAYMENTTRF889020022.exe bglfezp.exe PID 1344 wrote to memory of 1368 1344 bglfezp.exe bglfezp.exe PID 1344 wrote to memory of 1368 1344 bglfezp.exe bglfezp.exe PID 1344 wrote to memory of 1368 1344 bglfezp.exe bglfezp.exe PID 1344 wrote to memory of 1368 1344 bglfezp.exe bglfezp.exe PID 1368 wrote to memory of 3856 1368 bglfezp.exe cargo bin stub.exe PID 1368 wrote to memory of 3856 1368 bglfezp.exe cargo bin stub.exe PID 1368 wrote to memory of 3856 1368 bglfezp.exe cargo bin stub.exe -
outlook_office_path 1 IoCs
Processes:
cargo bin stub.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cargo bin stub.exe -
outlook_win_path 1 IoCs
Processes:
cargo bin stub.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cargo bin stub.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENTTRF889020022.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENTTRF889020022.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bglfezp.exe"C:\Users\Admin\AppData\Local\Temp\bglfezp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bglfezp.exe"C:\Users\Admin\AppData\Local\Temp\bglfezp.exe"3⤵
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cargo bin stub.exe"C:\Users\Admin\AppData\Local\Temp\cargo bin stub.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 5403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1344 -ip 13441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bglfezp.exeFilesize
125KB
MD58dca1faf45a7de90e2a67b3c724d9c14
SHA1a48123b3a5e70f484566e55d92f2772e34393b92
SHA2560b0f985c493696c622017a28c979417c5be084d91b7976eab2397e9ac5bbfeb8
SHA512b54f138c7e432ea1ef14f8594a5e379f703d88d63d9ce69b2415cf88fb7cdea657e5a3b3d57bb2bfda0fc24c730cedc4dbe789a5b3e1b2089fa7b32807ea6d3b
-
C:\Users\Admin\AppData\Local\Temp\bglfezp.exeFilesize
125KB
MD58dca1faf45a7de90e2a67b3c724d9c14
SHA1a48123b3a5e70f484566e55d92f2772e34393b92
SHA2560b0f985c493696c622017a28c979417c5be084d91b7976eab2397e9ac5bbfeb8
SHA512b54f138c7e432ea1ef14f8594a5e379f703d88d63d9ce69b2415cf88fb7cdea657e5a3b3d57bb2bfda0fc24c730cedc4dbe789a5b3e1b2089fa7b32807ea6d3b
-
C:\Users\Admin\AppData\Local\Temp\bglfezp.exeFilesize
125KB
MD58dca1faf45a7de90e2a67b3c724d9c14
SHA1a48123b3a5e70f484566e55d92f2772e34393b92
SHA2560b0f985c493696c622017a28c979417c5be084d91b7976eab2397e9ac5bbfeb8
SHA512b54f138c7e432ea1ef14f8594a5e379f703d88d63d9ce69b2415cf88fb7cdea657e5a3b3d57bb2bfda0fc24c730cedc4dbe789a5b3e1b2089fa7b32807ea6d3b
-
C:\Users\Admin\AppData\Local\Temp\cargo bin stub.exeFilesize
208KB
MD58c84f344dc0e2d2d9280b5530fea429f
SHA10827eee176132340f3b537b90317938390f1e40e
SHA256e041425918d874f81b89564074230c8dbb66d66a40e2f5cef1df119cfde1db5a
SHA512574018df4b43d00173d4088d8707627f738c2205b0da21f63f7a51705f9983eda66dcc4272b388f7545bc7222411a3a65b21acd595071a80f116b2384a5761f2
-
C:\Users\Admin\AppData\Local\Temp\cargo bin stub.exeFilesize
208KB
MD58c84f344dc0e2d2d9280b5530fea429f
SHA10827eee176132340f3b537b90317938390f1e40e
SHA256e041425918d874f81b89564074230c8dbb66d66a40e2f5cef1df119cfde1db5a
SHA512574018df4b43d00173d4088d8707627f738c2205b0da21f63f7a51705f9983eda66dcc4272b388f7545bc7222411a3a65b21acd595071a80f116b2384a5761f2
-
C:\Users\Admin\AppData\Local\Temp\lrlhc.kevFilesize
280KB
MD54fa4f199d63df6ed8ab5185bd28acef5
SHA18021bc2518851cd10202c3923a6de177c830d09f
SHA25603062221476d82fd59234117006236c4d88bc247c5b38894393c28caba795399
SHA51284d2a9021282d702cc951819c886c6dd8db4cad2ae8b5a3b609c64af6a1e2b5c3643c68e3bcad7a49db8a364e83626ea5867614e81c45e37fcc3be511e06f30a
-
C:\Users\Admin\AppData\Local\Temp\soocvvyw.hsfFilesize
4KB
MD51a8c85947e15b903b353a69704452e22
SHA193941b1e770b673698b1ae338156d16257d94db4
SHA25606f20357f36314fb82d550011bdbbdef7e9ce4ceac791c133e537cafe3b62c83
SHA512b9ae1d779e8e2ff999073477765df2bf665219e670d250727c6177de039ff7cef800f9590084dd5d1d1bc02cad3895ea9e9f2b6068229a755ef8609e3e022318
-
memory/1344-132-0x0000000000000000-mapping.dmp
-
memory/1368-140-0x00000000058D0000-0x0000000005962000-memory.dmpFilesize
584KB
-
memory/1368-141-0x0000000005A10000-0x0000000005AAC000-memory.dmpFilesize
624KB
-
memory/1368-142-0x00000000059A0000-0x00000000059AA000-memory.dmpFilesize
40KB
-
memory/1368-143-0x0000000007200000-0x0000000007266000-memory.dmpFilesize
408KB
-
memory/1368-139-0x0000000005E80000-0x0000000006424000-memory.dmpFilesize
5.6MB
-
memory/1368-137-0x0000000000000000-mapping.dmp
-
memory/3856-144-0x0000000000000000-mapping.dmp
-
memory/3856-147-0x0000000000430000-0x000000000046A000-memory.dmpFilesize
232KB
-
memory/3856-148-0x0000000005F60000-0x0000000005FB0000-memory.dmpFilesize
320KB