Analysis
-
max time kernel
141s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 07:18
Static task
static1
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
PI.exe
Resource
win10v2004-20221111-en
General
-
Target
PI.exe
-
Size
671KB
-
MD5
f98d644ab8f19948187c6189918dcc1c
-
SHA1
99ef151d996ed3f09e66891ae304a2f36299dd39
-
SHA256
3a5e2c67c21dcfb129ce78a036ae4bf136a05493001ad7326c7fe9aab6a444e7
-
SHA512
f2ba2a292e0eff9cc8490c2147293d13183acd0aad66ef58ede5d3720fe37960ca27cc4ef9c7d9327cb0c9256ec1c963e3292bcce889ddbc186aaec500abfe8e
-
SSDEEP
12288:XPuYd+V6b1momPZefcZnhYy8kL2JDiyllunMeZhJITR3oIxWgSaMPuYd+V6b:XPuYd+V6bIomxichF8kL26nLhJITR4Is
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.svcnc.com - Port:
587 - Username:
[email protected] - Password:
Krupashine@6791 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PI.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PI.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PI.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PI.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PI.exedescription pid process target process PID 2028 set thread context of 944 2028 PI.exe PI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exePI.exepid process 648 powershell.exe 1480 powershell.exe 944 PI.exe 944 PI.exe 944 PI.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PI.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 944 PI.exe Token: SeDebugPrivilege 648 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
PI.exedescription pid process target process PID 2028 wrote to memory of 1480 2028 PI.exe powershell.exe PID 2028 wrote to memory of 1480 2028 PI.exe powershell.exe PID 2028 wrote to memory of 1480 2028 PI.exe powershell.exe PID 2028 wrote to memory of 1480 2028 PI.exe powershell.exe PID 2028 wrote to memory of 648 2028 PI.exe powershell.exe PID 2028 wrote to memory of 648 2028 PI.exe powershell.exe PID 2028 wrote to memory of 648 2028 PI.exe powershell.exe PID 2028 wrote to memory of 648 2028 PI.exe powershell.exe PID 2028 wrote to memory of 668 2028 PI.exe schtasks.exe PID 2028 wrote to memory of 668 2028 PI.exe schtasks.exe PID 2028 wrote to memory of 668 2028 PI.exe schtasks.exe PID 2028 wrote to memory of 668 2028 PI.exe schtasks.exe PID 2028 wrote to memory of 944 2028 PI.exe PI.exe PID 2028 wrote to memory of 944 2028 PI.exe PI.exe PID 2028 wrote to memory of 944 2028 PI.exe PI.exe PID 2028 wrote to memory of 944 2028 PI.exe PI.exe PID 2028 wrote to memory of 944 2028 PI.exe PI.exe PID 2028 wrote to memory of 944 2028 PI.exe PI.exe PID 2028 wrote to memory of 944 2028 PI.exe PI.exe PID 2028 wrote to memory of 944 2028 PI.exe PI.exe PID 2028 wrote to memory of 944 2028 PI.exe PI.exe -
outlook_office_path 1 IoCs
Processes:
PI.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PI.exe -
outlook_win_path 1 IoCs
Processes:
PI.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hpuAAGQUj.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hpuAAGQUj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp140E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp140E.tmpFilesize
1KB
MD518e49c37ce98d945c3dc59770eb3d783
SHA18378154f5d84e50338df4e7948b524fe4303bc7e
SHA2562ce839535bc538f21d1f1ec077dbabaf9c6c884f8c46ee471aad980a0bd24ba1
SHA5126ee302db3427fefd914c0c34c907658ff8ac18784e8f0e9e060ae09d5cbca5b92317c9ff91df6e98de7bbefd65abbbf7f8a8d6ee0f42a717edeef3982c39fa77
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5d1df1621ed0ca00c07cc536ff9328028
SHA112d3e010e09746254f073aef54b872bf6e6809f4
SHA256aab7feb9a6e348525d5b487139416c063f35c59c87f568687ec28219751b98e6
SHA5129fd5e37b0fe2da526af888fc1ecfd48590050e0030f3ac7fb63b875b69c2525e7dd171a37ef0d579ed518080d55c47111d57d9768d8c1b79aca1ae97e1e08335
-
memory/648-61-0x0000000000000000-mapping.dmp
-
memory/648-82-0x000000006EDC0000-0x000000006F36B000-memory.dmpFilesize
5.7MB
-
memory/648-67-0x000000006EDC0000-0x000000006F36B000-memory.dmpFilesize
5.7MB
-
memory/668-62-0x0000000000000000-mapping.dmp
-
memory/944-77-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/944-74-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/944-75-0x00000000004324DE-mapping.dmp
-
memory/944-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/944-79-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/944-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/944-72-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/944-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1480-59-0x0000000000000000-mapping.dmp
-
memory/1480-66-0x000000006EDC0000-0x000000006F36B000-memory.dmpFilesize
5.7MB
-
memory/1480-81-0x000000006EDC0000-0x000000006F36B000-memory.dmpFilesize
5.7MB
-
memory/2028-68-0x0000000004AB0000-0x0000000004AE8000-memory.dmpFilesize
224KB
-
memory/2028-54-0x0000000000FC0000-0x000000000106E000-memory.dmpFilesize
696KB
-
memory/2028-58-0x0000000004E50000-0x0000000004EC2000-memory.dmpFilesize
456KB
-
memory/2028-57-0x0000000000280000-0x000000000028E000-memory.dmpFilesize
56KB
-
memory/2028-56-0x00000000003E0000-0x00000000003FA000-memory.dmpFilesize
104KB
-
memory/2028-55-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB