Overview

overview

10

Static

static

3

ORDER LIST...DF.scr

windows7-x64

10

ORDER LIST...DF.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 07:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER LIST_SEPT7FIBA00541·PDF.scr

  • Size

    2.1MB

  • MD5

    f553993c429df4169eccb3463ff291be

  • SHA1

    6204264af92d6e1d31bd806ac9be14b105db422c

  • SHA256

    c5d72b59daee806a6528a681f2aa98d4ee4a0c3b96b897e5b2e1cd591cc5d633

  • SHA512

    93676a7857daecfc5b87cc73411c042c253e0f6c1fb51fd950e5c184e0c74311e7286d92d1a79ad82681eea2f47ea04809293494a10deb38657705cf8daf3ac0

  • SSDEEP

    24576:L9dfiq2k1eAFH5Xid4ajgyMLX4g2RoH43bXc/TAvsmts31ycmuFw2+LY7:ak1FDYoHMRvsmC31yUaXL

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER LIST_SEPT7FIBA00541·PDF.scr
    "C:\Users\Admin\AppData\Local\Temp\ORDER LIST_SEPT7FIBA00541·PDF.scr" /S
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /release
        3⤵
        • Gathers network information
        PID:916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /renew
        3⤵
        • Gathers network information
        PID:4956
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      2⤵
        PID:3948
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:4256

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1188-8-0x0000000006270000-0x0000000006814000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1188-3-0x0000000005010000-0x0000000005064000-memory.dmp

            Filesize

            336KB

            Download

          • memory/1188-2-0x0000000074820000-0x0000000074FD0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1188-11-0x0000000074820000-0x0000000074FD0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1188-4-0x0000000005160000-0x0000000005170000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1188-5-0x0000000005180000-0x00000000051C2000-memory.dmp

            Filesize

            264KB

            Download

          • memory/1188-6-0x00000000051D0000-0x000000000521C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1188-7-0x0000000005160000-0x0000000005170000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1188-1-0x0000000074820000-0x0000000074FD0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1188-0-0x0000000000370000-0x0000000000584000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4256-12-0x0000000074820000-0x0000000074FD0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4256-9-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/4256-13-0x0000000005170000-0x0000000005180000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4256-14-0x0000000005370000-0x00000000053D6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4256-15-0x0000000006010000-0x0000000006060000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4256-16-0x0000000006100000-0x0000000006192000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4256-17-0x00000000063C0000-0x00000000063CA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4256-18-0x0000000074820000-0x0000000074FD0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4256-19-0x0000000005170000-0x0000000005180000-memory.dmp

            Filesize

            64KB

            Download