Overview

overview

10

Static

static

PI.exe

windows7-x64

10

PI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PI.exe

  • Size

    671KB

  • MD5

    f98d644ab8f19948187c6189918dcc1c

  • SHA1

    99ef151d996ed3f09e66891ae304a2f36299dd39

  • SHA256

    3a5e2c67c21dcfb129ce78a036ae4bf136a05493001ad7326c7fe9aab6a444e7

  • SHA512

    f2ba2a292e0eff9cc8490c2147293d13183acd0aad66ef58ede5d3720fe37960ca27cc4ef9c7d9327cb0c9256ec1c963e3292bcce889ddbc186aaec500abfe8e

  • SSDEEP

    12288:XPuYd+V6b1momPZefcZnhYy8kL2JDiyllunMeZhJITR3oIxWgSaMPuYd+V6b:XPuYd+V6bIomxichF8kL26nLhJITR4Is

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PI.exe
    "C:\Users\Admin\AppData\Local\Temp\PI.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PI.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1480
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hpuAAGQUj.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:648
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hpuAAGQUj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp140E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:668
    • C:\Users\Admin\AppData\Local\Temp\PI.exe
      "C:\Users\Admin\AppData\Local\Temp\PI.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp140E.tmp
    Filesize

    1KB

    MD5

    18e49c37ce98d945c3dc59770eb3d783

    SHA1

    8378154f5d84e50338df4e7948b524fe4303bc7e

    SHA256

    2ce839535bc538f21d1f1ec077dbabaf9c6c884f8c46ee471aad980a0bd24ba1

    SHA512

    6ee302db3427fefd914c0c34c907658ff8ac18784e8f0e9e060ae09d5cbca5b92317c9ff91df6e98de7bbefd65abbbf7f8a8d6ee0f42a717edeef3982c39fa77

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    d1df1621ed0ca00c07cc536ff9328028

    SHA1

    12d3e010e09746254f073aef54b872bf6e6809f4

    SHA256

    aab7feb9a6e348525d5b487139416c063f35c59c87f568687ec28219751b98e6

    SHA512

    9fd5e37b0fe2da526af888fc1ecfd48590050e0030f3ac7fb63b875b69c2525e7dd171a37ef0d579ed518080d55c47111d57d9768d8c1b79aca1ae97e1e08335

    Download Submit
  • memory/648-61-0x0000000000000000-mapping.dmp
    Download
  • memory/648-82-0x000000006EDC0000-0x000000006F36B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/648-67-0x000000006EDC0000-0x000000006F36B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/668-62-0x0000000000000000-mapping.dmp
    Download
  • memory/944-77-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/944-74-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/944-75-0x00000000004324DE-mapping.dmp
    Download
  • memory/944-70-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/944-79-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/944-73-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/944-72-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/944-69-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1480-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1480-66-0x000000006EDC0000-0x000000006F36B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1480-81-0x000000006EDC0000-0x000000006F36B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2028-68-0x0000000004AB0000-0x0000000004AE8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2028-54-0x0000000000FC0000-0x000000000106E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/2028-58-0x0000000004E50000-0x0000000004EC2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2028-57-0x0000000000280000-0x000000000028E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2028-56-0x00000000003E0000-0x00000000003FA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2028-55-0x00000000753F1000-0x00000000753F3000-memory.dmp
    Filesize

    8KB

    Download