Analysis
-
max time kernel
190s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 02:25
Static task
static1
Behavioral task
behavioral1
Sample
OVERDUE PAYMENT LIST.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
OVERDUE PAYMENT LIST.exe
Resource
win10v2004-20220812-en
General
-
Target
OVERDUE PAYMENT LIST.exe
-
Size
868KB
-
MD5
4b157f58016445399705b1e1aa57d282
-
SHA1
7938ea46e93d1f7d80e84687955fc2894f6fb051
-
SHA256
b188a13a9f8d13e388089ecbe4725f5c0e2a17c2f1036e0a7ab0cf5aab878549
-
SHA512
f03250454fbc65f925833cee3e3ccb6f8b183e38b17794a7e4974f776d5463ada881bec535c73263dfc55e83ea8ba88db98de48af4cb5944785578717d0c5c3d
-
SSDEEP
12288:IEVq7Kg9kY75YoJAbek8NUrQHSrqWkhbmCPk4iFssKlSwx7IkNLHp:Cugb75YdFcWqW4bS4IsNQw+mjp
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dmstech.in - Port:
587 - Username:
[email protected] - Password:
0]6F9Az.pqfd - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
OVERDUE PAYMENT LIST.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation OVERDUE PAYMENT LIST.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zBwkauB = "C:\\Users\\Admin\\AppData\\Roaming\\zBwkauB\\zBwkauB.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
OVERDUE PAYMENT LIST.exedescription pid process target process PID 4988 set thread context of 3456 4988 OVERDUE PAYMENT LIST.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegSvcs.exepid process 3456 RegSvcs.exe 3456 RegSvcs.exe 3456 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3456 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
OVERDUE PAYMENT LIST.exedescription pid process target process PID 4988 wrote to memory of 2424 4988 OVERDUE PAYMENT LIST.exe schtasks.exe PID 4988 wrote to memory of 2424 4988 OVERDUE PAYMENT LIST.exe schtasks.exe PID 4988 wrote to memory of 2424 4988 OVERDUE PAYMENT LIST.exe schtasks.exe PID 4988 wrote to memory of 3456 4988 OVERDUE PAYMENT LIST.exe RegSvcs.exe PID 4988 wrote to memory of 3456 4988 OVERDUE PAYMENT LIST.exe RegSvcs.exe PID 4988 wrote to memory of 3456 4988 OVERDUE PAYMENT LIST.exe RegSvcs.exe PID 4988 wrote to memory of 3456 4988 OVERDUE PAYMENT LIST.exe RegSvcs.exe PID 4988 wrote to memory of 3456 4988 OVERDUE PAYMENT LIST.exe RegSvcs.exe PID 4988 wrote to memory of 3456 4988 OVERDUE PAYMENT LIST.exe RegSvcs.exe PID 4988 wrote to memory of 3456 4988 OVERDUE PAYMENT LIST.exe RegSvcs.exe PID 4988 wrote to memory of 3456 4988 OVERDUE PAYMENT LIST.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OVERDUE PAYMENT LIST.exe"C:\Users\Admin\AppData\Local\Temp\OVERDUE PAYMENT LIST.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpJaXqOF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp396A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp396A.tmpFilesize
1KB
MD54bda33f125987273069b70f0df1391e1
SHA1b476ebc43f427ecb9d7a980e28626d8e0b1c1e6b
SHA2565e1af9b9f0f432cf4afb21765acb0da0f93ec76d24c670a0aef4386109628f75
SHA512c05b327fe0d0513475a7728c91c0916f1d8034d831a57c60d8744d1693d9dd79baa75ec3d0601455c122d70815261ad3d0ec36793543ae3fe873b6abac8273d9
-
memory/2424-137-0x0000000000000000-mapping.dmp
-
memory/3456-139-0x0000000000000000-mapping.dmp
-
memory/3456-140-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3456-141-0x0000000005DD0000-0x0000000005E36000-memory.dmpFilesize
408KB
-
memory/3456-142-0x0000000006100000-0x0000000006150000-memory.dmpFilesize
320KB
-
memory/4988-132-0x00000000000E0000-0x00000000001BE000-memory.dmpFilesize
888KB
-
memory/4988-133-0x00000000050B0000-0x0000000005654000-memory.dmpFilesize
5.6MB
-
memory/4988-134-0x0000000004BA0000-0x0000000004C32000-memory.dmpFilesize
584KB
-
memory/4988-135-0x0000000004C40000-0x0000000004CDC000-memory.dmpFilesize
624KB
-
memory/4988-136-0x0000000004B50000-0x0000000004B5A000-memory.dmpFilesize
40KB