Overview

overview

10

Static

static

PO No. XE-...54.exe

windows7_x64

10

PO No. XE-...54.exe

windows10_x64

3

Analysis

  • max time kernel
    130s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    24-06-2020 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO No. XE-1706-154.exe

  • Size

    511KB

  • MD5

    67aafea3651cc0a5a41eee3b1fc1ea1c

  • SHA1

    320de7b05cb00101efcf507fd4a528ba9bb1e838

  • SHA256

    d12fe1681559292a24bb0b2b56a0feee3a6746a0ccbc014c7462aff08d7a3fd0

  • SHA512

    9996bc12c8236200a8d633ca0ca23ae9fc390c6deaf4025f601ca344b561454b3fb62fd90066a09e53fd0727975e910738cfb22808d4ab43d63420abe305155a

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO No. XE-1706-154.exe
    "C:\Users\Admin\AppData\Local\Temp\PO No. XE-1706-154.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SXHPJzJUZTjsWV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB02B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1012
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" wlan show profile
      2⤵
        PID:1648

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB02B.tmp
      MD5

      bb623325ceaf87a5b82e38b98103b6ff

      SHA1

      c19433f2e7d8b7b0b46ee3ea690b1ec76c861760

      SHA256

      971d68ad009a896f9ece19061f268bfadd38562a760331d2ddd2a1b39852cd68

      SHA512

      119eec8620c48877ada55e37fdf12dc9db59f4c4406c05769c0c28107bb3b2e829fdb3187e8953721aa44216e3fb6b8727126841aa8fa4e59b0d20c1163cb568

      Download Submit
    • memory/1012-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1460-1-0x0000000000000000-0x0000000000000000-disk.dmp
      Download
    • memory/1648-4-0x0000000000000000-mapping.dmp
      Download