Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 16:45
Static task
static1
Behavioral task
behavioral1
Sample
Amendment POs 05-Dec 2023 pdf.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
Amendment POs 05-Dec 2023 pdf.exe
Resource
win10v2004-20231127-en
General
-
Target
Amendment POs 05-Dec 2023 pdf.exe
-
Size
423KB
-
MD5
db004427de4f603941d2f40d6a22d105
-
SHA1
83879efd1dab6923cc56a979756c0e0cff3d4320
-
SHA256
49c8753d20ef77ddfd436992e8c015dd23cc0a5e03429f614470321602df624e
-
SHA512
d8a11bcb010f5a1476b05b7fe422d51e24fe2cbbbc6098ea4110fd0733cba8a99ccf7ac079fbc9484a550af5a9c183b693ae9e3e90ad10474fff2f82031d064d
-
SSDEEP
6144:T8LxB8/leyb8dfEPuc+W5nSPWO2vR72Tl7CjfsLkt1QSdUqZEIWjbFYh7zQcjzRF:x/leyEfEE4yqScUqZE/jbFYfznxlnksb
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
efodnd.exeefodnd.exepid process 3608 efodnd.exe 4988 efodnd.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
efodnd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 efodnd.exe Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 efodnd.exe Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 efodnd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
efodnd.exedescription pid process target process PID 3608 set thread context of 4988 3608 efodnd.exe efodnd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
efodnd.exepid process 4988 efodnd.exe 4988 efodnd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
efodnd.exepid process 3608 efodnd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
efodnd.exedescription pid process Token: SeDebugPrivilege 4988 efodnd.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Amendment POs 05-Dec 2023 pdf.exeefodnd.exedescription pid process target process PID 4168 wrote to memory of 3608 4168 Amendment POs 05-Dec 2023 pdf.exe efodnd.exe PID 4168 wrote to memory of 3608 4168 Amendment POs 05-Dec 2023 pdf.exe efodnd.exe PID 4168 wrote to memory of 3608 4168 Amendment POs 05-Dec 2023 pdf.exe efodnd.exe PID 3608 wrote to memory of 4988 3608 efodnd.exe efodnd.exe PID 3608 wrote to memory of 4988 3608 efodnd.exe efodnd.exe PID 3608 wrote to memory of 4988 3608 efodnd.exe efodnd.exe PID 3608 wrote to memory of 4988 3608 efodnd.exe efodnd.exe -
outlook_office_path 1 IoCs
Processes:
efodnd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 efodnd.exe -
outlook_win_path 1 IoCs
Processes:
efodnd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 efodnd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Amendment POs 05-Dec 2023 pdf.exe"C:\Users\Admin\AppData\Local\Temp\Amendment POs 05-Dec 2023 pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\efodnd.exe"C:\Users\Admin\AppData\Local\Temp\efodnd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\efodnd.exe"C:\Users\Admin\AppData\Local\Temp\efodnd.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5f285d29783926bbdfe4dd3b372829d47
SHA17bb85fb8bc69bee4c6d89c82869e336cac5c9839
SHA256e0ccf8d25441c9d696cc866894a7f4bb560eafdc52097621a99604de7d479331
SHA51200abcc6a5a2630c89d9f262e989802693610855f20571608c6a427039f0a2964d2bb8002f0d9a9fde7a41855437948dc85de739f0634c8968ba4481b479a0ed5
-
Filesize
174KB
MD5f285d29783926bbdfe4dd3b372829d47
SHA17bb85fb8bc69bee4c6d89c82869e336cac5c9839
SHA256e0ccf8d25441c9d696cc866894a7f4bb560eafdc52097621a99604de7d479331
SHA51200abcc6a5a2630c89d9f262e989802693610855f20571608c6a427039f0a2964d2bb8002f0d9a9fde7a41855437948dc85de739f0634c8968ba4481b479a0ed5
-
Filesize
174KB
MD5f285d29783926bbdfe4dd3b372829d47
SHA17bb85fb8bc69bee4c6d89c82869e336cac5c9839
SHA256e0ccf8d25441c9d696cc866894a7f4bb560eafdc52097621a99604de7d479331
SHA51200abcc6a5a2630c89d9f262e989802693610855f20571608c6a427039f0a2964d2bb8002f0d9a9fde7a41855437948dc85de739f0634c8968ba4481b479a0ed5
-
Filesize
335KB
MD5972723454318ba5a307ada9b512f4fdc
SHA13ff1c2d3c54b0c56f3d2f72d1d74dcef94212cb5
SHA25673c05a16a7e52058cbc4c5cf8b9366fa39f9886b6aba09ce128ea257fd411b56
SHA51201dc9d7e6abd46961152da4aad7a266d4fe2313dd6468851dfa37233d30f9555e93bcd5cd8ddadfc5d671e2bb56c151e4880d955af3bd5d6e89477d2dce3cfb7