Analysis
-
max time kernel
66s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 17:26
Static task
static1
Behavioral task
behavioral1
Sample
Cotización-202002721.pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Cotización-202002721.pdf.exe
Resource
win10v2004-20230220-en
General
-
Target
Cotización-202002721.pdf.exe
-
Size
473KB
-
MD5
bf2d6295a7e04f44e50101fd3df6b34f
-
SHA1
223321e3e18c453875f4d625b1327b8a8e05de1a
-
SHA256
c5b618054d855fffed65dc372080cdc5de39ca31edd513e7765a02c64f9b9e1b
-
SHA512
fcec0b125961d7ae9f1672e85e61ff0c58a0aa58a3a0686816c32be0581352c08a7a46b16bbe9073f640d26e81b1cd7a0791aa5ea44380b2defb5342db2f79e6
-
SSDEEP
12288:943FAhu8y7mMaBXkiB/ZrLX/qFiyDwHi220AbWxQhi:e3FSunDuXBX62gvs
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.itzayanaland.com - Port:
587 - Username:
security01@itzayanaland.com - Password:
H!S6_PFHTAN{ - Email To:
security01@itzayanaland.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Cotización-202002721.pdf.exedescription pid process target process PID 3888 set thread context of 4164 3888 Cotización-202002721.pdf.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
Cotización-202002721.pdf.exepid process 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe 3888 Cotización-202002721.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Cotización-202002721.pdf.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 3888 Cotización-202002721.pdf.exe Token: SeDebugPrivilege 4164 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
Cotización-202002721.pdf.exedescription pid process target process PID 3888 wrote to memory of 2192 3888 Cotización-202002721.pdf.exe ilasm.exe PID 3888 wrote to memory of 2192 3888 Cotización-202002721.pdf.exe ilasm.exe PID 3888 wrote to memory of 3924 3888 Cotización-202002721.pdf.exe DataSvcUtil.exe PID 3888 wrote to memory of 3924 3888 Cotización-202002721.pdf.exe DataSvcUtil.exe PID 3888 wrote to memory of 4404 3888 Cotización-202002721.pdf.exe RegAsm.exe PID 3888 wrote to memory of 4404 3888 Cotización-202002721.pdf.exe RegAsm.exe PID 3888 wrote to memory of 552 3888 Cotización-202002721.pdf.exe AddInUtil.exe PID 3888 wrote to memory of 552 3888 Cotización-202002721.pdf.exe AddInUtil.exe PID 3888 wrote to memory of 1416 3888 Cotización-202002721.pdf.exe SMSvcHost.exe PID 3888 wrote to memory of 1416 3888 Cotización-202002721.pdf.exe SMSvcHost.exe PID 3888 wrote to memory of 3700 3888 Cotización-202002721.pdf.exe EdmGen.exe PID 3888 wrote to memory of 3700 3888 Cotización-202002721.pdf.exe EdmGen.exe PID 3888 wrote to memory of 4112 3888 Cotización-202002721.pdf.exe aspnet_compiler.exe PID 3888 wrote to memory of 4112 3888 Cotización-202002721.pdf.exe aspnet_compiler.exe PID 3888 wrote to memory of 2264 3888 Cotización-202002721.pdf.exe aspnet_state.exe PID 3888 wrote to memory of 2264 3888 Cotización-202002721.pdf.exe aspnet_state.exe PID 3888 wrote to memory of 5104 3888 Cotización-202002721.pdf.exe ComSvcConfig.exe PID 3888 wrote to memory of 5104 3888 Cotización-202002721.pdf.exe ComSvcConfig.exe PID 3888 wrote to memory of 3376 3888 Cotización-202002721.pdf.exe AppLaunch.exe PID 3888 wrote to memory of 3376 3888 Cotización-202002721.pdf.exe AppLaunch.exe PID 3888 wrote to memory of 4316 3888 Cotización-202002721.pdf.exe Microsoft.Workflow.Compiler.exe PID 3888 wrote to memory of 4316 3888 Cotización-202002721.pdf.exe Microsoft.Workflow.Compiler.exe PID 3888 wrote to memory of 4324 3888 Cotización-202002721.pdf.exe aspnet_wp.exe PID 3888 wrote to memory of 4324 3888 Cotización-202002721.pdf.exe aspnet_wp.exe PID 3888 wrote to memory of 4328 3888 Cotización-202002721.pdf.exe cvtres.exe PID 3888 wrote to memory of 4328 3888 Cotización-202002721.pdf.exe cvtres.exe PID 3888 wrote to memory of 4344 3888 Cotización-202002721.pdf.exe mscorsvw.exe PID 3888 wrote to memory of 4344 3888 Cotización-202002721.pdf.exe mscorsvw.exe PID 3888 wrote to memory of 5096 3888 Cotización-202002721.pdf.exe ServiceModelReg.exe PID 3888 wrote to memory of 5096 3888 Cotización-202002721.pdf.exe ServiceModelReg.exe PID 3888 wrote to memory of 4376 3888 Cotización-202002721.pdf.exe RegSvcs.exe PID 3888 wrote to memory of 4376 3888 Cotización-202002721.pdf.exe RegSvcs.exe PID 3888 wrote to memory of 1888 3888 Cotización-202002721.pdf.exe csc.exe PID 3888 wrote to memory of 1888 3888 Cotización-202002721.pdf.exe csc.exe PID 3888 wrote to memory of 1292 3888 Cotización-202002721.pdf.exe aspnet_regsql.exe PID 3888 wrote to memory of 1292 3888 Cotización-202002721.pdf.exe aspnet_regsql.exe PID 3888 wrote to memory of 4164 3888 Cotización-202002721.pdf.exe AddInProcess32.exe PID 3888 wrote to memory of 4164 3888 Cotización-202002721.pdf.exe AddInProcess32.exe PID 3888 wrote to memory of 4164 3888 Cotización-202002721.pdf.exe AddInProcess32.exe PID 3888 wrote to memory of 4164 3888 Cotización-202002721.pdf.exe AddInProcess32.exe PID 3888 wrote to memory of 4164 3888 Cotización-202002721.pdf.exe AddInProcess32.exe PID 3888 wrote to memory of 4164 3888 Cotización-202002721.pdf.exe AddInProcess32.exe PID 3888 wrote to memory of 4164 3888 Cotización-202002721.pdf.exe AddInProcess32.exe PID 3888 wrote to memory of 4164 3888 Cotización-202002721.pdf.exe AddInProcess32.exe -
outlook_office_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
outlook_win_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cotización-202002721.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Cotización-202002721.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3888-133-0x000002AF128E0000-0x000002AF1295C000-memory.dmpFilesize
496KB
-
memory/3888-134-0x000002AF14770000-0x000002AF14780000-memory.dmpFilesize
64KB
-
memory/4164-135-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4164-137-0x00000000055A0000-0x0000000005B44000-memory.dmpFilesize
5.6MB
-
memory/4164-138-0x0000000004FF0000-0x0000000005056000-memory.dmpFilesize
408KB
-
memory/4164-139-0x00000000051C0000-0x00000000051D0000-memory.dmpFilesize
64KB
-
memory/4164-140-0x0000000006140000-0x00000000061D2000-memory.dmpFilesize
584KB
-
memory/4164-141-0x0000000006120000-0x000000000612A000-memory.dmpFilesize
40KB
-
memory/4164-142-0x00000000063C0000-0x0000000006410000-memory.dmpFilesize
320KB
-
memory/4164-143-0x00000000065E0000-0x00000000067A2000-memory.dmpFilesize
1.8MB
-
memory/4164-144-0x00000000051C0000-0x00000000051D0000-memory.dmpFilesize
64KB