Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02-09-2024 02:44
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Invoice.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Pics.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Pics.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Products drawing.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Products drawing.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Quotation and Prices.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
Quotation and Prices.exe
Resource
win10v2004-20240802-en
General
-
Target
Products drawing.exe
-
Size
501KB
-
MD5
59eb6cff844446f0e44f2d3d85f85a9e
-
SHA1
c0f7887016df63c80647c4fca82b979dc18ff010
-
SHA256
1339a751e36cce726e3d808cfad7cd81c7f0712103a9c26a65acaf8c573f97b5
-
SHA512
456f66a52e7fab312d226be645d4543fa9156944fb1fc7265aa75a316c29aa6f994cf3e2eccc93c2837b9b9c9f904b2cee7e08078604d51c7496f11635948f2f
-
SSDEEP
12288:XFda+Fda/cQS84fwkDB1vSYVGJRu1ujK8q+TXmXTtt7Af:ccn84fwE1fVaFK8NSt
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
resource yara_rule behavioral5/memory/1508-18-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral5/memory/1508-27-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral5/memory/1508-24-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral5/memory/1508-22-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral5/memory/1508-16-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
resource yara_rule behavioral5/memory/2728-3-0x0000000000860000-0x00000000008CC000-memory.dmp beds_protector -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Products drawing.exe Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Products drawing.exe Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Products drawing.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\0rig20 = "C:\\Users\\Admin\\AppData\\Roaming\\0rig20\\0rig20.exe" Products drawing.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2728 set thread context of 1508 2728 Products drawing.exe 32 -
pid Process 2508 Powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Products drawing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Products drawing.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2508 Powershell.exe 1508 Products drawing.exe 1508 Products drawing.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2508 Powershell.exe Token: SeDebugPrivilege 1508 Products drawing.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1508 Products drawing.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2508 2728 Products drawing.exe 30 PID 2728 wrote to memory of 2508 2728 Products drawing.exe 30 PID 2728 wrote to memory of 2508 2728 Products drawing.exe 30 PID 2728 wrote to memory of 2508 2728 Products drawing.exe 30 PID 2728 wrote to memory of 1508 2728 Products drawing.exe 32 PID 2728 wrote to memory of 1508 2728 Products drawing.exe 32 PID 2728 wrote to memory of 1508 2728 Products drawing.exe 32 PID 2728 wrote to memory of 1508 2728 Products drawing.exe 32 PID 2728 wrote to memory of 1508 2728 Products drawing.exe 32 PID 2728 wrote to memory of 1508 2728 Products drawing.exe 32 PID 2728 wrote to memory of 1508 2728 Products drawing.exe 32 PID 2728 wrote to memory of 1508 2728 Products drawing.exe 32 PID 2728 wrote to memory of 1508 2728 Products drawing.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Products drawing.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Products drawing.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Products drawing.exe"C:\Users\Admin\AppData\Local\Temp\Products drawing.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Products drawing.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'2⤵
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\Products drawing.exe"C:\Users\Admin\AppData\Local\Temp\Products drawing.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1508
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1