Analysis
-
max time kernel
88s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
08-12-2022 14:29
General
-
Target
payment receipt.exe
-
Size
899KB
-
MD5
ef2ce2f68f0c5562a64bd3139d81a62f
-
SHA1
248f3b30bb878a7608d1da009ae686b2e805562b
-
SHA256
112fea8779d66870df2bfe7d46f60f8e6f3c0f768a8076f9494404df0d2e88ed
-
SHA512
bdef4affde1cfc29055fbf1ea8d7b98832cbd0086693913eaf38f875a7d9969635c0edd05df18598edcadf2da0d911980f5c412622e8b76625114226f1923c10
-
SSDEEP
12288:goQgKZ/nXt7virmWhlGLaQYIRx/9/YAoDotxyo5iTz6wRhEq2jHrM393T7Qsm447:c/NYAHP5iTzOE3t32ia
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
work-toolz.click - Port:
587 - Username:
[email protected] - Password:
3HLkst~=QzD3
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment receipt.exe"C:\Users\Admin\AppData\Local\Temp\payment receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment receipt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\payment receipt.exe"C:\Users\Admin\AppData\Local\Temp\payment receipt.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/512-68-0x000000000043248E-mapping.dmp
-
memory/512-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/512-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/512-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/512-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/512-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/512-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/940-61-0x0000000007E20000-0x0000000007E7C000-memory.dmpFilesize
368KB
-
memory/940-58-0x0000000007D90000-0x0000000007E26000-memory.dmpFilesize
600KB
-
memory/940-55-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/940-57-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/940-54-0x00000000012A0000-0x0000000001386000-memory.dmpFilesize
920KB
-
memory/940-56-0x00000000003F0000-0x0000000000406000-memory.dmpFilesize
88KB
-
memory/1464-59-0x0000000000000000-mapping.dmp
-
memory/1464-72-0x00000000731A0000-0x000000007374B000-memory.dmpFilesize
5.7MB
-
memory/1464-73-0x00000000731A0000-0x000000007374B000-memory.dmpFilesize
5.7MB