Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 17:09
Static task
static1
Behavioral task
behavioral1
Sample
231730028-2023-Dec-04 pdf.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
231730028-2023-Dec-04 pdf.exe
Resource
win10v2004-20231127-en
General
-
Target
231730028-2023-Dec-04 pdf.exe
-
Size
477KB
-
MD5
38e85567ecbe691d6319179e8e42fab2
-
SHA1
72f8f419447da72e61518a7ecdf433a4b05aa458
-
SHA256
188b48895639573a36270e0693569d98f7a673c975478927559c3eadd6d83839
-
SHA512
78c77591b9e381d9b3bf962693ec00f0ae94cadee813837095d4fb1e16282a93791d03a4323a52e57870632d7e09227cba1baaeee164264fb174e64a5d7c5d75
-
SSDEEP
12288:xkNqHWr7yJzMij4kfciX/wtf7FPEvPDvmtj9yx:xUq+IIefziB8vKjQx
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
cpngrtzp.execpngrtzp.exepid process 3052 cpngrtzp.exe 2784 cpngrtzp.exe -
Loads dropped DLL 3 IoCs
Processes:
231730028-2023-Dec-04 pdf.execpngrtzp.exepid process 2108 231730028-2023-Dec-04 pdf.exe 2108 231730028-2023-Dec-04 pdf.exe 3052 cpngrtzp.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
cpngrtzp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cpngrtzp.exe Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cpngrtzp.exe Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cpngrtzp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cpngrtzp.exedescription pid process target process PID 3052 set thread context of 2784 3052 cpngrtzp.exe cpngrtzp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cpngrtzp.exepid process 2784 cpngrtzp.exe 2784 cpngrtzp.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cpngrtzp.exepid process 3052 cpngrtzp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cpngrtzp.exedescription pid process Token: SeDebugPrivilege 2784 cpngrtzp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
231730028-2023-Dec-04 pdf.execpngrtzp.exedescription pid process target process PID 2108 wrote to memory of 3052 2108 231730028-2023-Dec-04 pdf.exe cpngrtzp.exe PID 2108 wrote to memory of 3052 2108 231730028-2023-Dec-04 pdf.exe cpngrtzp.exe PID 2108 wrote to memory of 3052 2108 231730028-2023-Dec-04 pdf.exe cpngrtzp.exe PID 2108 wrote to memory of 3052 2108 231730028-2023-Dec-04 pdf.exe cpngrtzp.exe PID 3052 wrote to memory of 2784 3052 cpngrtzp.exe cpngrtzp.exe PID 3052 wrote to memory of 2784 3052 cpngrtzp.exe cpngrtzp.exe PID 3052 wrote to memory of 2784 3052 cpngrtzp.exe cpngrtzp.exe PID 3052 wrote to memory of 2784 3052 cpngrtzp.exe cpngrtzp.exe PID 3052 wrote to memory of 2784 3052 cpngrtzp.exe cpngrtzp.exe -
outlook_office_path 1 IoCs
Processes:
cpngrtzp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cpngrtzp.exe -
outlook_win_path 1 IoCs
Processes:
cpngrtzp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cpngrtzp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\231730028-2023-Dec-04 pdf.exe"C:\Users\Admin\AppData\Local\Temp\231730028-2023-Dec-04 pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe"C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe"C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
335KB
MD503a408bbf961a94b9448aad8fed24336
SHA1df08dc867912e252d48d23d599e21a0c90f3d914
SHA2563d1155039ceb52969ebb93595ee5d3e2899ef72d98619c86439edd7a91d7d248
SHA51269d145792d23e45419e3070c73d410506aab6ebc091c1ab70320b92f10c1b2aca5795d70e8213458e990c4be3b3d50a98675b647a51e98c626c064bcb5944643
-
Filesize
287KB
MD5ccac95bbd8877f49efc523f125489bb1
SHA192ee3a54136bded5f1c17d25fdbb553caf2eb3aa
SHA2562025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f
SHA512bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f
-
Filesize
287KB
MD5ccac95bbd8877f49efc523f125489bb1
SHA192ee3a54136bded5f1c17d25fdbb553caf2eb3aa
SHA2562025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f
SHA512bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f
-
Filesize
287KB
MD5ccac95bbd8877f49efc523f125489bb1
SHA192ee3a54136bded5f1c17d25fdbb553caf2eb3aa
SHA2562025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f
SHA512bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f
-
Filesize
287KB
MD5ccac95bbd8877f49efc523f125489bb1
SHA192ee3a54136bded5f1c17d25fdbb553caf2eb3aa
SHA2562025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f
SHA512bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f
-
Filesize
287KB
MD5ccac95bbd8877f49efc523f125489bb1
SHA192ee3a54136bded5f1c17d25fdbb553caf2eb3aa
SHA2562025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f
SHA512bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f
-
Filesize
287KB
MD5ccac95bbd8877f49efc523f125489bb1
SHA192ee3a54136bded5f1c17d25fdbb553caf2eb3aa
SHA2562025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f
SHA512bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f
-
Filesize
287KB
MD5ccac95bbd8877f49efc523f125489bb1
SHA192ee3a54136bded5f1c17d25fdbb553caf2eb3aa
SHA2562025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f
SHA512bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f