Resubmissions
23-01-2023 02:29
230123-cyn5fsbe76 10Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 02:29
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order No. BCM190282Project.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Purchase Order No. BCM190282Project.exe
Resource
win10v2004-20220901-en
General
-
Target
Purchase Order No. BCM190282Project.exe
-
Size
552KB
-
MD5
085621949a07bb1b819fe5c6894e7381
-
SHA1
01137a34ab984239fc8517dd79635aaabbfa27b2
-
SHA256
e183f9caf4ab50798816cb2619cbae642d0952df6cf0820524ef2ca631728b3d
-
SHA512
2c622c8b1d5d22957bd03be3fd3271c3eb592aff40b7ef5bbe47cfd484f5305e8aab907befdf5a356200f69bfd887843abb3d94a5c00668601f4b9782ab0ad96
-
SSDEEP
6144:SDgK3Jc/yQeIBLXKvZm5BnZhFY+X550ykb6w5jZSZFMIWJaO74kr2BMRIbhQFu+K:0d5c66BLX/PZjpQNCAaOEkuTEo3
Malware Config
Extracted
Protocol: smtp- Host:
Smtp.ionos.es - Port:
587 - Username:
mgonzalez@inkor.es - Password:
Random1@@##
Extracted
agenttesla
Protocol: smtp- Host:
Smtp.ionos.es - Port:
587 - Username:
mgonzalez@inkor.es - Password:
Random1@@## - Email To:
fresh.italian@yandex.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Purchase Order No. BCM190282Project.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Purchase Order No. BCM190282Project.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Purchase Order No. BCM190282Project.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order No. BCM190282Project.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order No. BCM190282Project.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order No. BCM190282Project.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 42 api.ipify.org 43 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order No. BCM190282Project.exedescription pid process target process PID 2096 set thread context of 64 2096 Purchase Order No. BCM190282Project.exe Purchase Order No. BCM190282Project.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Purchase Order No. BCM190282Project.exepowershell.exepowershell.exePurchase Order No. BCM190282Project.exepid process 2096 Purchase Order No. BCM190282Project.exe 2932 powershell.exe 1432 powershell.exe 2096 Purchase Order No. BCM190282Project.exe 64 Purchase Order No. BCM190282Project.exe 64 Purchase Order No. BCM190282Project.exe 2932 powershell.exe 1432 powershell.exe 64 Purchase Order No. BCM190282Project.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Purchase Order No. BCM190282Project.exepowershell.exepowershell.exePurchase Order No. BCM190282Project.exedescription pid process Token: SeDebugPrivilege 2096 Purchase Order No. BCM190282Project.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 64 Purchase Order No. BCM190282Project.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Purchase Order No. BCM190282Project.exedescription pid process target process PID 2096 wrote to memory of 1432 2096 Purchase Order No. BCM190282Project.exe powershell.exe PID 2096 wrote to memory of 1432 2096 Purchase Order No. BCM190282Project.exe powershell.exe PID 2096 wrote to memory of 1432 2096 Purchase Order No. BCM190282Project.exe powershell.exe PID 2096 wrote to memory of 2932 2096 Purchase Order No. BCM190282Project.exe powershell.exe PID 2096 wrote to memory of 2932 2096 Purchase Order No. BCM190282Project.exe powershell.exe PID 2096 wrote to memory of 2932 2096 Purchase Order No. BCM190282Project.exe powershell.exe PID 2096 wrote to memory of 4228 2096 Purchase Order No. BCM190282Project.exe schtasks.exe PID 2096 wrote to memory of 4228 2096 Purchase Order No. BCM190282Project.exe schtasks.exe PID 2096 wrote to memory of 4228 2096 Purchase Order No. BCM190282Project.exe schtasks.exe PID 2096 wrote to memory of 64 2096 Purchase Order No. BCM190282Project.exe Purchase Order No. BCM190282Project.exe PID 2096 wrote to memory of 64 2096 Purchase Order No. BCM190282Project.exe Purchase Order No. BCM190282Project.exe PID 2096 wrote to memory of 64 2096 Purchase Order No. BCM190282Project.exe Purchase Order No. BCM190282Project.exe PID 2096 wrote to memory of 64 2096 Purchase Order No. BCM190282Project.exe Purchase Order No. BCM190282Project.exe PID 2096 wrote to memory of 64 2096 Purchase Order No. BCM190282Project.exe Purchase Order No. BCM190282Project.exe PID 2096 wrote to memory of 64 2096 Purchase Order No. BCM190282Project.exe Purchase Order No. BCM190282Project.exe PID 2096 wrote to memory of 64 2096 Purchase Order No. BCM190282Project.exe Purchase Order No. BCM190282Project.exe PID 2096 wrote to memory of 64 2096 Purchase Order No. BCM190282Project.exe Purchase Order No. BCM190282Project.exe -
outlook_office_path 1 IoCs
Processes:
Purchase Order No. BCM190282Project.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order No. BCM190282Project.exe -
outlook_win_path 1 IoCs
Processes:
Purchase Order No. BCM190282Project.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order No. BCM190282Project.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order No. BCM190282Project.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order No. BCM190282Project.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase Order No. BCM190282Project.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qWncfecZ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qWncfecZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AF8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order No. BCM190282Project.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order No. BCM190282Project.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD51abe17d8c190daa8ac3c339326bb8283
SHA1827c57ca219d2e41d63e6413b346f5130d6f4b6e
SHA25646c0322a8833c83dfd7a8cb22c1e4868be824ccd69d3bb61673c7ef1754edac7
SHA5126f664cd411692fbd7adbfd7873fd08817180f332384ebf4d7070e2357b53512662de0589a38d46e9ee94facfc48b0ca67c2f0150ceafae9f6107d628b12a4ca6
-
C:\Users\Admin\AppData\Local\Temp\tmp2AF8.tmpFilesize
1KB
MD59f25f786bbf9366f38393f775f988a6b
SHA105803a8f1764cc9b2bd0b5c71001aeefea24faf8
SHA25682612f546c6addfc7d99c2510bbb2620e7dda650b37871ef6fb9cd76d33e7b76
SHA512eab888341680a6342ef036fb30237d1d56cf01914b34094a9f553146b96d3c192cde7d189955105a780969105f78240f2b6909f25ffce4a209e15a56fe7081c8
-
memory/64-161-0x00000000074D0000-0x0000000007520000-memory.dmpFilesize
320KB
-
memory/64-147-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/64-146-0x0000000000000000-mapping.dmp
-
memory/1432-158-0x0000000007110000-0x000000000712A000-memory.dmpFilesize
104KB
-
memory/1432-151-0x0000000071730000-0x000000007177C000-memory.dmpFilesize
304KB
-
memory/1432-149-0x0000000006A80000-0x0000000006AB2000-memory.dmpFilesize
200KB
-
memory/1432-140-0x00000000021A0000-0x00000000021D6000-memory.dmpFilesize
216KB
-
memory/1432-141-0x0000000004D10000-0x0000000005338000-memory.dmpFilesize
6.2MB
-
memory/1432-142-0x0000000004B00000-0x0000000004B22000-memory.dmpFilesize
136KB
-
memory/1432-156-0x0000000007050000-0x00000000070E6000-memory.dmpFilesize
600KB
-
memory/1432-137-0x0000000000000000-mapping.dmp
-
memory/1432-144-0x0000000004C20000-0x0000000004C86000-memory.dmpFilesize
408KB
-
memory/2096-134-0x0000000005120000-0x00000000051B2000-memory.dmpFilesize
584KB
-
memory/2096-133-0x0000000005630000-0x0000000005BD4000-memory.dmpFilesize
5.6MB
-
memory/2096-135-0x00000000050A0000-0x00000000050AA000-memory.dmpFilesize
40KB
-
memory/2096-136-0x0000000007720000-0x00000000077BC000-memory.dmpFilesize
624KB
-
memory/2096-132-0x0000000000670000-0x00000000006FE000-memory.dmpFilesize
568KB
-
memory/2932-153-0x0000000007CE0000-0x000000000835A000-memory.dmpFilesize
6.5MB
-
memory/2932-152-0x0000000006930000-0x000000000694E000-memory.dmpFilesize
120KB
-
memory/2932-150-0x0000000071730000-0x000000007177C000-memory.dmpFilesize
304KB
-
memory/2932-154-0x0000000007690000-0x00000000076AA000-memory.dmpFilesize
104KB
-
memory/2932-155-0x0000000007710000-0x000000000771A000-memory.dmpFilesize
40KB
-
memory/2932-148-0x0000000006390000-0x00000000063AE000-memory.dmpFilesize
120KB
-
memory/2932-157-0x00000000078C0000-0x00000000078CE000-memory.dmpFilesize
56KB
-
memory/2932-145-0x0000000005D10000-0x0000000005D76000-memory.dmpFilesize
408KB
-
memory/2932-159-0x00000000079B0000-0x00000000079B8000-memory.dmpFilesize
32KB
-
memory/2932-138-0x0000000000000000-mapping.dmp
-
memory/4228-139-0x0000000000000000-mapping.dmp