Analysis
-
max time kernel
50s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/03/2023, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
Payment copy.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Payment copy.exe
Resource
win10v2004-20230220-en
General
-
Target
Payment copy.exe
-
Size
635KB
-
MD5
758739dc69bea1dbffeb64a16adbba73
-
SHA1
5ab3aac44c8bc50082ad557df368549a3c10e7e4
-
SHA256
dcbf2a46595f5714137faa5d4950067eb1b1e5259c2bce2a75f853a73303d45f
-
SHA512
2096fddf3b59a51673ab236964866699ac20522fe19c084c03cf9368a9154ef393d0a731b9c653bfdaeba9e393f0eb3320cee70abbba5935fa28ce528d2dfa00
-
SSDEEP
12288:UnE5BhWH78QM8F2yf8mnpA9JXKBO4wl363Y8fo:UnE5KbXPddA3XGW363YKo
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" MSBuild.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1408 set thread context of 1056 1408 Payment copy.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1728 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1056 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1728 1408 Payment copy.exe 27 PID 1408 wrote to memory of 1728 1408 Payment copy.exe 27 PID 1408 wrote to memory of 1728 1408 Payment copy.exe 27 PID 1408 wrote to memory of 1728 1408 Payment copy.exe 27 PID 1408 wrote to memory of 1056 1408 Payment copy.exe 29 PID 1408 wrote to memory of 1056 1408 Payment copy.exe 29 PID 1408 wrote to memory of 1056 1408 Payment copy.exe 29 PID 1408 wrote to memory of 1056 1408 Payment copy.exe 29 PID 1408 wrote to memory of 1056 1408 Payment copy.exe 29 PID 1408 wrote to memory of 1056 1408 Payment copy.exe 29 PID 1408 wrote to memory of 1056 1408 Payment copy.exe 29 PID 1408 wrote to memory of 1056 1408 Payment copy.exe 29 PID 1408 wrote to memory of 1056 1408 Payment copy.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ToLzCL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC276.tmp"2⤵
- Creates scheduled task(s)
PID:1728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1056
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53adcc39fac29ad9a5429528481130aec
SHA1ab3d881c671d113a370609ddab1f532e9de45502
SHA2567cf1e6d73d75cf66b191f0c6f053e318f6c4949e2f0e4a98c81a3f5a07730bfd
SHA51250a689a383c5b733be03ee34ea51692d941136630402a81038607e52f33a75de9aefe8ecef41c5bc24f9b852b051aecf2af57a545ab1b914afe97425dcd324a4