Analysis
-
max time kernel
98s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 13:59
Static task
static1
Behavioral task
behavioral1
Sample
statement of account.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
statement of account.exe
Resource
win10v2004-20220901-en
General
-
Target
statement of account.exe
-
Size
759KB
-
MD5
808f76963a9f42ad7310a3b7d65c7983
-
SHA1
f748a841b2ec35bc40ed0bacbe953c28bc11a8a6
-
SHA256
9f04b0b059e331845f8c3f9f4f83c785b07766529bb24dbbfb02fbab9e414938
-
SHA512
33681149a92fa03e80ed0e1c38dac6672785dd058d40b74daa75f649d8b7b78b315755fe81854919579a4fd9c1043aa52bcc5a46a3ccc954c1e6d3c16ea9a5cb
-
SSDEEP
12288:nKdsyGFr5cE8LHW4RelEpb8bOmsX4K1hOCcTVURwq05Sgk2/SEdRMA/LyzIPPPu:6ZvLrRGWb8OH1hO1UH0A49/LkInstA
Malware Config
Extracted
Protocol: smtp- Host:
mail.clipjoint.co.nz - Port:
587 - Username:
clipjoint@clipjoint.co.nz - Password:
melandloz64
Extracted
agenttesla
Protocol: smtp- Host:
mail.clipjoint.co.nz - Port:
587 - Username:
clipjoint@clipjoint.co.nz - Password:
melandloz64 - Email To:
geortiok4@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops file in Drivers directory 1 IoCs
Processes:
statement of account.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts statement of account.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
statement of account.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 statement of account.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 statement of account.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 statement of account.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
statement of account.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\LIhMQ = "C:\\Users\\Admin\\AppData\\Roaming\\LIhMQ\\LIhMQ.exe" statement of account.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
statement of account.exedescription pid process target process PID 1132 set thread context of 1388 1132 statement of account.exe statement of account.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
statement of account.exestatement of account.exepid process 1132 statement of account.exe 1388 statement of account.exe 1388 statement of account.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
statement of account.exestatement of account.exedescription pid process Token: SeDebugPrivilege 1132 statement of account.exe Token: SeDebugPrivilege 1388 statement of account.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
statement of account.exepid process 1388 statement of account.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
statement of account.exedescription pid process target process PID 1132 wrote to memory of 1656 1132 statement of account.exe schtasks.exe PID 1132 wrote to memory of 1656 1132 statement of account.exe schtasks.exe PID 1132 wrote to memory of 1656 1132 statement of account.exe schtasks.exe PID 1132 wrote to memory of 1656 1132 statement of account.exe schtasks.exe PID 1132 wrote to memory of 1388 1132 statement of account.exe statement of account.exe PID 1132 wrote to memory of 1388 1132 statement of account.exe statement of account.exe PID 1132 wrote to memory of 1388 1132 statement of account.exe statement of account.exe PID 1132 wrote to memory of 1388 1132 statement of account.exe statement of account.exe PID 1132 wrote to memory of 1388 1132 statement of account.exe statement of account.exe PID 1132 wrote to memory of 1388 1132 statement of account.exe statement of account.exe PID 1132 wrote to memory of 1388 1132 statement of account.exe statement of account.exe PID 1132 wrote to memory of 1388 1132 statement of account.exe statement of account.exe PID 1132 wrote to memory of 1388 1132 statement of account.exe statement of account.exe -
outlook_office_path 1 IoCs
Processes:
statement of account.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 statement of account.exe -
outlook_win_path 1 IoCs
Processes:
statement of account.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 statement of account.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\statement of account.exe"C:\Users\Admin\AppData\Local\Temp\statement of account.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtdekfbHULJt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\statement of account.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5EB.tmpFilesize
1KB
MD5afcb87b463d5a1be7d08eb96b24e2cc0
SHA1db1f849e7cdb679a2d59ea2ac08bc0c00b98483c
SHA256ad71039dcd0a01d395132d3ab6069c1ad325f37301edc5b9f7860c8b07e8c839
SHA512a00dd25e79d98a8ef7c4d96ec1c58be3d5a38947a66b5c2d860a750abff756779eec3affc7946d5ea8b4ba61d96521173261cb31f006f95910f11bb67136db89
-
memory/1132-57-0x0000000005C60000-0x0000000005CDE000-memory.dmpFilesize
504KB
-
memory/1132-55-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/1132-54-0x0000000000CD0000-0x0000000000D94000-memory.dmpFilesize
784KB
-
memory/1132-58-0x0000000004420000-0x000000000445A000-memory.dmpFilesize
232KB
-
memory/1132-56-0x0000000000390000-0x00000000003A2000-memory.dmpFilesize
72KB
-
memory/1388-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1388-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1388-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1388-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1388-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1388-67-0x0000000000435B0E-mapping.dmp
-
memory/1388-69-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1388-71-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1656-59-0x0000000000000000-mapping.dmp