Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:18
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT COPY.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PAYMENT COPY.exe
Resource
win10v2004-20220812-en
General
-
Target
PAYMENT COPY.exe
-
Size
510KB
-
MD5
1a245500e0696bb8d89aebd5acd1bee1
-
SHA1
dda56b8b97574caa956abb1eb291c4cafda92ba3
-
SHA256
9c9334c90a2e559eed3e8fc03ab85709ab00394cc4c0f12bd481d70f30d3171b
-
SHA512
c56e71284858fde376245d8d4a990be276249ba7eade3d27d71f7a5a2cccb6464a26b67abcee4eaa39bb43356f3a4d401a6f6b882653bbbc2d968703bde093be
-
SSDEEP
12288:ojrABfUnI3ZUlSrz4B9nsCm2XEx4TzsDij:ojruUcbrE9nsCm20xb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.orogenicgroup-bd.com - Port:
587 - Username:
[email protected] - Password:
Hossain$3400 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PAYMENT COPY.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation PAYMENT COPY.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yGbzOMp = "C:\\Users\\Admin\\AppData\\Roaming\\yGbzOMp\\yGbzOMp.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENT COPY.exedescription pid process target process PID 2608 set thread context of 2816 2608 PAYMENT COPY.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PAYMENT COPY.exeRegSvcs.exepid process 2608 PAYMENT COPY.exe 2816 RegSvcs.exe 2816 RegSvcs.exe 2816 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PAYMENT COPY.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2608 PAYMENT COPY.exe Token: SeDebugPrivilege 2816 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PAYMENT COPY.exedescription pid process target process PID 2608 wrote to memory of 1344 2608 PAYMENT COPY.exe schtasks.exe PID 2608 wrote to memory of 1344 2608 PAYMENT COPY.exe schtasks.exe PID 2608 wrote to memory of 1344 2608 PAYMENT COPY.exe schtasks.exe PID 2608 wrote to memory of 2816 2608 PAYMENT COPY.exe RegSvcs.exe PID 2608 wrote to memory of 2816 2608 PAYMENT COPY.exe RegSvcs.exe PID 2608 wrote to memory of 2816 2608 PAYMENT COPY.exe RegSvcs.exe PID 2608 wrote to memory of 2816 2608 PAYMENT COPY.exe RegSvcs.exe PID 2608 wrote to memory of 2816 2608 PAYMENT COPY.exe RegSvcs.exe PID 2608 wrote to memory of 2816 2608 PAYMENT COPY.exe RegSvcs.exe PID 2608 wrote to memory of 2816 2608 PAYMENT COPY.exe RegSvcs.exe PID 2608 wrote to memory of 2816 2608 PAYMENT COPY.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yOWXUQiA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47A8.tmp"2⤵
- Creates scheduled task(s)
PID:1344 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp47A8.tmpFilesize
1KB
MD50d5d834df3cdf8e77c3630250fdaff81
SHA12339b13f0b1a6549df99e4c25815c1ac97c957b1
SHA256c4310fe10bb0aab6808f617e03479845a4a0f80fc13e59997a8840d66eead1da
SHA5127ba9f554e2c6cd5699d4e038a1e4b533312b42d39b142ff92768a1606d7af0bc9144dfe622659cddd006c2ca65af0f39d4ae5c28be804e9bfa8245b573dcdf9e
-
memory/1344-137-0x0000000000000000-mapping.dmp
-
memory/2608-132-0x0000000000AC0000-0x0000000000B46000-memory.dmpFilesize
536KB
-
memory/2608-133-0x0000000005B40000-0x00000000060E4000-memory.dmpFilesize
5.6MB
-
memory/2608-134-0x00000000054E0000-0x0000000005572000-memory.dmpFilesize
584KB
-
memory/2608-135-0x00000000056A0000-0x000000000573C000-memory.dmpFilesize
624KB
-
memory/2608-136-0x0000000005790000-0x000000000579A000-memory.dmpFilesize
40KB
-
memory/2816-139-0x0000000000000000-mapping.dmp
-
memory/2816-140-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2816-141-0x0000000006490000-0x00000000064F6000-memory.dmpFilesize
408KB
-
memory/2816-142-0x00000000067E0000-0x0000000006830000-memory.dmpFilesize
320KB