Analysis
-
max time kernel
109s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 16:56
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Payment Advice.exe
Resource
win10v2004-20221111-en
General
-
Target
Payment Advice.exe
-
Size
64KB
-
MD5
b6eb7b4e594a56b4863355c9a7f86b53
-
SHA1
117f098e05ef647da17ea4182b77f99efd7b1b94
-
SHA256
6293bc321e0d935cb697ff2d091446f6ff17b604c8720fe525f0ef3c38de8dbe
-
SHA512
463248fab99aff86929190ce4e7197ccfd59a65e5fbe8c85236e12825a8851c9479c394bf6fc403aab36632607109a12d065451c662138b7b32a237c9a50511a
-
SSDEEP
768:0AOAg9DjP3i6zmz4e2XX/40LO6dusn04ep:ZON9DjP3iC+Ja/40ymuL3p
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.wasstech.com - Port:
587 - Username:
sahar.nassif@wasstech.com - Password:
payment 12345 - Email To:
sahar.nassif@wasstech.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Advice.exedescription pid process target process PID 2216 set thread context of 3020 2216 Payment Advice.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Payment Advice.exepid process 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe 2216 Payment Advice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Advice.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 2216 Payment Advice.exe Token: SeDebugPrivilege 3020 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Payment Advice.exedescription pid process target process PID 2216 wrote to memory of 4708 2216 Payment Advice.exe RegSvcs.exe PID 2216 wrote to memory of 4708 2216 Payment Advice.exe RegSvcs.exe PID 2216 wrote to memory of 4672 2216 Payment Advice.exe ngentask.exe PID 2216 wrote to memory of 4672 2216 Payment Advice.exe ngentask.exe PID 2216 wrote to memory of 2436 2216 Payment Advice.exe AddInProcess.exe PID 2216 wrote to memory of 2436 2216 Payment Advice.exe AddInProcess.exe PID 2216 wrote to memory of 4728 2216 Payment Advice.exe aspnet_compiler.exe PID 2216 wrote to memory of 4728 2216 Payment Advice.exe aspnet_compiler.exe PID 2216 wrote to memory of 3880 2216 Payment Advice.exe SMSvcHost.exe PID 2216 wrote to memory of 3880 2216 Payment Advice.exe SMSvcHost.exe PID 2216 wrote to memory of 2824 2216 Payment Advice.exe AddInUtil.exe PID 2216 wrote to memory of 2824 2216 Payment Advice.exe AddInUtil.exe PID 2216 wrote to memory of 4156 2216 Payment Advice.exe MSBuild.exe PID 2216 wrote to memory of 4156 2216 Payment Advice.exe MSBuild.exe PID 2216 wrote to memory of 3020 2216 Payment Advice.exe AddInProcess32.exe PID 2216 wrote to memory of 3020 2216 Payment Advice.exe AddInProcess32.exe PID 2216 wrote to memory of 3020 2216 Payment Advice.exe AddInProcess32.exe PID 2216 wrote to memory of 3020 2216 Payment Advice.exe AddInProcess32.exe PID 2216 wrote to memory of 3020 2216 Payment Advice.exe AddInProcess32.exe PID 2216 wrote to memory of 3020 2216 Payment Advice.exe AddInProcess32.exe PID 2216 wrote to memory of 3020 2216 Payment Advice.exe AddInProcess32.exe PID 2216 wrote to memory of 3020 2216 Payment Advice.exe AddInProcess32.exe -
outlook_office_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
outlook_win_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2216-132-0x00000193CAA50000-0x00000193CAA64000-memory.dmpFilesize
80KB
-
memory/2216-133-0x00007FF91EE80000-0x00007FF91F941000-memory.dmpFilesize
10.8MB
-
memory/2216-136-0x00007FF91EE80000-0x00007FF91F941000-memory.dmpFilesize
10.8MB
-
memory/3020-134-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3020-135-0x000000000042A7DE-mapping.dmp
-
memory/3020-137-0x0000000005C70000-0x0000000006214000-memory.dmpFilesize
5.6MB
-
memory/3020-138-0x00000000057D0000-0x0000000005836000-memory.dmpFilesize
408KB
-
memory/3020-139-0x0000000006E20000-0x0000000006EB2000-memory.dmpFilesize
584KB
-
memory/3020-140-0x0000000006E00000-0x0000000006E0A000-memory.dmpFilesize
40KB
-
memory/3020-141-0x0000000006F10000-0x0000000006F60000-memory.dmpFilesize
320KB
-
memory/3020-142-0x0000000007240000-0x0000000007402000-memory.dmpFilesize
1.8MB