Malware Analysis Report

2024-11-30 21:53

Sample ID 230206-rw7lcahf5z
Target DOCUMENTS.exe
SHA256 e3fa6e232d27ca9d98148c4d388cc8736dfad4343b217e5e2f0144479a359a40
Tags
agenttesla purecrypter collection downloader keylogger loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3fa6e232d27ca9d98148c4d388cc8736dfad4343b217e5e2f0144479a359a40

Threat Level: Known bad

The file DOCUMENTS.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla purecrypter collection downloader keylogger loader persistence spyware stealer trojan

PureCrypter

AgentTesla

Detect PureCrypter injector

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

outlook_win_path

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-06 14:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-06 14:33

Reported

2023-02-06 14:36

Platform

win7-20220812-en

Max time kernel

35s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Clbmxcarzb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Atmmx\\Clbmxcarzb.exe\"" C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1144 set thread context of 608 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1144 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1144 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1144 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1144 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1144 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1144 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1144 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1144 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

"C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

Network

N/A

Files

memory/1144-54-0x0000000000820000-0x0000000000D0E000-memory.dmp

memory/1144-55-0x00000000063E0000-0x000000000665A000-memory.dmp

memory/944-56-0x0000000000000000-mapping.dmp

memory/944-57-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

memory/944-58-0x000000006FBC0000-0x000000007016B000-memory.dmp

memory/944-59-0x000000006FBC0000-0x000000007016B000-memory.dmp

memory/944-60-0x000000006FBC0000-0x000000007016B000-memory.dmp

memory/1144-61-0x0000000002680000-0x00000000026D4000-memory.dmp

memory/608-62-0x0000000000400000-0x0000000000430000-memory.dmp

memory/608-63-0x0000000000400000-0x0000000000430000-memory.dmp

memory/608-65-0x0000000000400000-0x0000000000430000-memory.dmp

memory/608-66-0x0000000000400000-0x0000000000430000-memory.dmp

memory/608-68-0x000000000042A41E-mapping.dmp

memory/608-67-0x0000000000400000-0x0000000000430000-memory.dmp

memory/608-70-0x0000000000400000-0x0000000000430000-memory.dmp

memory/608-72-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-06 14:33

Reported

2023-02-06 14:36

Platform

win10v2004-20221111-en

Max time kernel

91s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clbmxcarzb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Atmmx\\Clbmxcarzb.exe\"" C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1816 set thread context of 2216 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe
PID 1816 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

"C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe

Network

Country Destination Domain Proto
US 13.89.179.10:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 149.154.167.99:443 tcp

Files

memory/1816-132-0x0000000000640000-0x0000000000B2E000-memory.dmp

memory/1816-133-0x00000000067F0000-0x0000000006812000-memory.dmp

memory/4912-134-0x0000000000000000-mapping.dmp

memory/4912-135-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

memory/4912-136-0x0000000005450000-0x0000000005A78000-memory.dmp

memory/4912-137-0x0000000005A80000-0x0000000005AE6000-memory.dmp

memory/4912-138-0x0000000005BF0000-0x0000000005C56000-memory.dmp

memory/4912-139-0x0000000006280000-0x000000000629E000-memory.dmp

memory/4912-140-0x00000000078C0000-0x0000000007F3A000-memory.dmp

memory/4912-141-0x0000000006780000-0x000000000679A000-memory.dmp

memory/3136-142-0x0000000000000000-mapping.dmp

memory/1244-143-0x0000000000000000-mapping.dmp

memory/2216-144-0x0000000000000000-mapping.dmp

memory/2216-145-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOCUMENTS.exe.log

MD5 a713c363be116d5ed1f971db6a657e4f
SHA1 90791863564c9ed38e7b4f047022dec4474060a1
SHA256 4b5c446ec8ed2a2696ba00a0890763d413006ce1ea1a7a32fda1655720aef46e
SHA512 5dc740414a6ec30908e924f3bdfae2f761a35a476ef2dda239b789575a0a3696169deb6dc84a14d5828eaa5644623f107b2c686bfa4f54a90f0688239b4b1739

memory/2216-147-0x00000000063D0000-0x0000000006974000-memory.dmp

memory/2216-148-0x0000000006ED0000-0x0000000006F62000-memory.dmp

memory/2216-149-0x0000000006E90000-0x0000000006E9A000-memory.dmp

memory/2216-150-0x00000000070E0000-0x0000000007130000-memory.dmp

memory/2216-151-0x0000000007300000-0x00000000074C2000-memory.dmp