Analysis
-
max time kernel
202s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
Copia dell'ordine di pagamento.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Copia dell'ordine di pagamento.exe
Resource
win10v2004-20220812-en
General
-
Target
Copia dell'ordine di pagamento.exe
-
Size
300.1MB
-
MD5
af75b6039c209b6c31915ca4957adcd8
-
SHA1
af396a57bd962bbc927143f924d279962eaa9d5c
-
SHA256
ecc0953d70c3f7f7fce5ef31dd734452a3ba52d63ec4020646c8a999e10d6003
-
SHA512
b303c246e15c2e705bbf19f3290f073a199249085321bbdc706ab54fa274c43882d8a0379a781c97050bbed12bb51478b6b4cbc9e18d29496303b2bec92896e0
-
SSDEEP
384:z7MRYI5eLyY9kgbZQAgDNGprbptYcFmVc03Kv:zzI5aT9kgOAgoFtYcFmVc6Kv
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Copia dell'ordine di pagamento.exedescription pid process target process PID 2008 set thread context of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exeInstallUtil.exepid process 1492 powershell.exe 920 powershell.exe 1740 InstallUtil.exe 1740 InstallUtil.exe 1740 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeCopia dell'ordine di pagamento.exepowershell.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 2008 Copia dell'ordine di pagamento.exe Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 1740 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Copia dell'ordine di pagamento.exedescription pid process target process PID 2008 wrote to memory of 1492 2008 Copia dell'ordine di pagamento.exe powershell.exe PID 2008 wrote to memory of 1492 2008 Copia dell'ordine di pagamento.exe powershell.exe PID 2008 wrote to memory of 1492 2008 Copia dell'ordine di pagamento.exe powershell.exe PID 2008 wrote to memory of 1492 2008 Copia dell'ordine di pagamento.exe powershell.exe PID 2008 wrote to memory of 920 2008 Copia dell'ordine di pagamento.exe powershell.exe PID 2008 wrote to memory of 920 2008 Copia dell'ordine di pagamento.exe powershell.exe PID 2008 wrote to memory of 920 2008 Copia dell'ordine di pagamento.exe powershell.exe PID 2008 wrote to memory of 920 2008 Copia dell'ordine di pagamento.exe powershell.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe PID 2008 wrote to memory of 1740 2008 Copia dell'ordine di pagamento.exe InstallUtil.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Copia dell'ordine di pagamento.exe"C:\Users\Admin\AppData\Local\Temp\Copia dell'ordine di pagamento.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-Date2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANwAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD53a0583dbcb2bdcb5060f5841b828f502
SHA16bd3c3c0246410ce458e200fc68855666b53f6c8
SHA25618950abaa6265c111141e39665b7c1305c335e9870242415c5f9696b68b1c75e
SHA51210c44de3d77912b4bd0d4c445ad15aaa90b41f5ea9b276d579a6c60c179d6f8c88e0a932ee9e32a529ac88f4980855bf8a0339d14fce90e0c3e2e4a390c25790
-
memory/920-61-0x0000000000000000-mapping.dmp
-
memory/920-66-0x000000006E4F0000-0x000000006EA9B000-memory.dmpFilesize
5.7MB
-
memory/920-65-0x000000006E4F0000-0x000000006EA9B000-memory.dmpFilesize
5.7MB
-
memory/920-64-0x000000006E4F0000-0x000000006EA9B000-memory.dmpFilesize
5.7MB
-
memory/1492-59-0x000000006F2F0000-0x000000006F89B000-memory.dmpFilesize
5.7MB
-
memory/1492-56-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1492-55-0x0000000000000000-mapping.dmp
-
memory/1492-58-0x000000006F2F0000-0x000000006F89B000-memory.dmpFilesize
5.7MB
-
memory/1740-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1740-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1740-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1740-71-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1740-72-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1740-73-0x0000000000437C0E-mapping.dmp
-
memory/1740-75-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1740-77-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2008-54-0x0000000001330000-0x0000000001348000-memory.dmpFilesize
96KB
-
memory/2008-60-0x0000000007240000-0x0000000007472000-memory.dmpFilesize
2.2MB