Overview

overview

10

Static

static

Payment Advise.exe

windows7-x64

10

Payment Advise.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2022 19:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Advise.exe

  • Size

    786KB

  • MD5

    ddb15a4c31bd7e0e7cf3d7cac8232f5f

  • SHA1

    761590b2db740edbe30bf3232998c258062b169a

  • SHA256

    fde52c018e73c2ac8a5f52796e06d7f35f9cfb197665d0ddb3dc6729c93cccb8

  • SHA512

    d2d5110df0ee93aa294237abaea8e654dc9d620d6e6540366de87888dcba91b1db532c9c2417c42f6d137744cc7a1418167e9997f4a4c03e94c590d3d79a999c

  • SSDEEP

    12288:IVmNAcv9ul/Z63ovN9LOfMe/xoKCT6Gx9QzjSCGmZJbxpDF+B7hC8Jf1:smNzV4KoT2c62CG

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    chinedu2@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Advise.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advise.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KlAOZajcWjJ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2340
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KlAOZajcWjJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7678.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3940
    • C:\Users\Admin\AppData\Local\Temp\Payment Advise.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Advise.exe"
      2⤵
        PID:3432
      • C:\Users\Admin\AppData\Local\Temp\Payment Advise.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment Advise.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1812
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1004
          3⤵
          • Program crash
          PID:2960
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1812 -ip 1812
      1⤵
        PID:3944

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp7678.tmp
        Filesize

        1KB

        MD5

        f393440d98a7632a104a250a31fcef76

        SHA1

        e3714011f7472529e33b74fc77d2e77d6adbc350

        SHA256

        b703c8a23b8b286cce656dfdb20ce95fb0589b8bb3ef16ee6845dc907428738b

        SHA512

        412bfa210b3411732ebe55e172bb4374f22a7280cf8e645037d1b2afbbd5f08a17105b84aa953a418aa31c9b0a549e4b379c92855d3045c4ebca8117ad138885

        Download Submit

      • memory/1812-144-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1812-143-0x0000000000000000-mapping.dmp

        Download

      • memory/2340-150-0x00000000706B0000-0x00000000706FC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2340-146-0x0000000005500000-0x0000000005566000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2340-137-0x0000000000000000-mapping.dmp

        Download

      • memory/2340-158-0x00000000071A0000-0x00000000071A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2340-157-0x00000000071C0000-0x00000000071DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2340-139-0x00000000045D0000-0x0000000004606000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2340-141-0x0000000004D60000-0x0000000005388000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2340-156-0x00000000070B0000-0x00000000070BE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2340-155-0x0000000007100000-0x0000000007196000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2340-154-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2340-145-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2340-153-0x0000000006E80000-0x0000000006E9A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2340-147-0x0000000005570000-0x00000000055D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2340-148-0x0000000005B70000-0x0000000005B8E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2340-149-0x0000000006140000-0x0000000006172000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2340-152-0x00000000074C0000-0x0000000007B3A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2340-151-0x0000000006120000-0x000000000613E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2824-132-0x0000000000220000-0x00000000002EA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/2824-136-0x000000000AA50000-0x000000000AAEC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2824-133-0x0000000007660000-0x0000000007C04000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2824-134-0x0000000007190000-0x0000000007222000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2824-135-0x0000000007170000-0x000000000717A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3432-142-0x0000000000000000-mapping.dmp

        Download

      • memory/3940-138-0x0000000000000000-mapping.dmp

        Download