Analysis
-
max time kernel
171s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
Atlas Price Inquiry.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Atlas Price Inquiry.exe
Resource
win10v2004-20220812-en
General
-
Target
Atlas Price Inquiry.exe
-
Size
949KB
-
MD5
c602a8c1d11236ae15cef6d0506019e3
-
SHA1
7de05fd3a996f5d804c25e8ce9f9721c56c86b48
-
SHA256
6e9e7f85765b936dbee0d489d4b30048881a558489c4c8691187a781117c9b9a
-
SHA512
eb817221be3fcd13176e09160797644a8ad3ced2d281c708db23eee17a99ef1e9eea138a69ace26e6bef52290d0851bc584b484adca28173be6e2234ccf5b20e
-
SSDEEP
12288:2VvgqU+D7Zy1Z/e1jjHUQ2F6GDlFlfs6G8gieBU3nk+uOsZ72at15zCDdzoa1cfN:+vz7c1Z/eFHHmfvRkokHZF5zCDdEPf
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://carbonwatt.com - Port:
21 - Username:
[email protected] - Password:
k)G8;,rq1MNz
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Atlas Price Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Atlas Price Inquiry.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Atlas Price Inquiry.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Atlas Price Inquiry.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Atlas Price Inquiry.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDeLIuR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDeLIuR\\PDeLIuR.exe" Atlas Price Inquiry.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 69 api.ipify.org 70 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Atlas Price Inquiry.exedescription pid process target process PID 1064 set thread context of 736 1064 Atlas Price Inquiry.exe Atlas Price Inquiry.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Atlas Price Inquiry.exeAtlas Price Inquiry.exepid process 1064 Atlas Price Inquiry.exe 1064 Atlas Price Inquiry.exe 736 Atlas Price Inquiry.exe 736 Atlas Price Inquiry.exe 736 Atlas Price Inquiry.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Atlas Price Inquiry.exeAtlas Price Inquiry.exedescription pid process Token: SeDebugPrivilege 1064 Atlas Price Inquiry.exe Token: SeDebugPrivilege 736 Atlas Price Inquiry.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Atlas Price Inquiry.exedescription pid process target process PID 1064 wrote to memory of 736 1064 Atlas Price Inquiry.exe Atlas Price Inquiry.exe PID 1064 wrote to memory of 736 1064 Atlas Price Inquiry.exe Atlas Price Inquiry.exe PID 1064 wrote to memory of 736 1064 Atlas Price Inquiry.exe Atlas Price Inquiry.exe PID 1064 wrote to memory of 736 1064 Atlas Price Inquiry.exe Atlas Price Inquiry.exe PID 1064 wrote to memory of 736 1064 Atlas Price Inquiry.exe Atlas Price Inquiry.exe PID 1064 wrote to memory of 736 1064 Atlas Price Inquiry.exe Atlas Price Inquiry.exe PID 1064 wrote to memory of 736 1064 Atlas Price Inquiry.exe Atlas Price Inquiry.exe PID 1064 wrote to memory of 736 1064 Atlas Price Inquiry.exe Atlas Price Inquiry.exe -
outlook_office_path 1 IoCs
Processes:
Atlas Price Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Atlas Price Inquiry.exe -
outlook_win_path 1 IoCs
Processes:
Atlas Price Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Atlas Price Inquiry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Atlas Price Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Atlas Price Inquiry.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Atlas Price Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Atlas Price Inquiry.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/736-137-0x0000000000000000-mapping.dmp
-
memory/736-138-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/736-139-0x0000000005DE0000-0x0000000005E46000-memory.dmpFilesize
408KB
-
memory/736-140-0x00000000070A0000-0x00000000070F0000-memory.dmpFilesize
320KB
-
memory/1064-132-0x0000000000230000-0x0000000000324000-memory.dmpFilesize
976KB
-
memory/1064-133-0x0000000005300000-0x00000000058A4000-memory.dmpFilesize
5.6MB
-
memory/1064-134-0x0000000004CA0000-0x0000000004D32000-memory.dmpFilesize
584KB
-
memory/1064-135-0x0000000004D60000-0x0000000004D6A000-memory.dmpFilesize
40KB
-
memory/1064-136-0x00000000078F0000-0x000000000798C000-memory.dmpFilesize
624KB