Analysis
-
max time kernel
93s -
max time network
76s -
platform
windows7_x64 -
resource
win7 -
submitted
28-06-2020 10:08
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry Copy.exe
Resource
win7
Behavioral task
behavioral2
Sample
Inquiry Copy.exe
Resource
win10v200430
General
-
Target
Inquiry Copy.exe
-
Size
519KB
-
MD5
5ebf752e445c2a9222357ea6ed653556
-
SHA1
ff7fd12de0ddd6fa819db103d023e1b3e24a36d2
-
SHA256
7dfe5d9e3e099285a3bc63497d1ee47ac99b7012f23beb730d73557b40afa26c
-
SHA512
0c16ec901b238d60176349c30cf9aa29d3522f8544d5cc32aeba71e72e3954051651808264551d639ae19ef384c865310c70092c334a7dc33cd64bdbfb2603a4
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
alexisborris@yandex.ru - Password:
@Veronica24#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1036-4-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1036-5-0x000000000044CB2E-mapping.dmp family_agenttesla behavioral1/memory/1036-6-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1036-7-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Inquiry Copy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Inquiry Copy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Inquiry Copy.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Inquiry Copy.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Inquiry Copy.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Inquiry Copy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Inquiry Copy.exedescription pid process target process PID 1204 set thread context of 1036 1204 Inquiry Copy.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1036 MSBuild.exe 1036 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1036 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1036 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Inquiry Copy.exeMSBuild.exedescription pid process target process PID 1204 wrote to memory of 480 1204 Inquiry Copy.exe schtasks.exe PID 1204 wrote to memory of 480 1204 Inquiry Copy.exe schtasks.exe PID 1204 wrote to memory of 480 1204 Inquiry Copy.exe schtasks.exe PID 1204 wrote to memory of 480 1204 Inquiry Copy.exe schtasks.exe PID 1204 wrote to memory of 1036 1204 Inquiry Copy.exe MSBuild.exe PID 1204 wrote to memory of 1036 1204 Inquiry Copy.exe MSBuild.exe PID 1204 wrote to memory of 1036 1204 Inquiry Copy.exe MSBuild.exe PID 1204 wrote to memory of 1036 1204 Inquiry Copy.exe MSBuild.exe PID 1204 wrote to memory of 1036 1204 Inquiry Copy.exe MSBuild.exe PID 1204 wrote to memory of 1036 1204 Inquiry Copy.exe MSBuild.exe PID 1204 wrote to memory of 1036 1204 Inquiry Copy.exe MSBuild.exe PID 1204 wrote to memory of 1036 1204 Inquiry Copy.exe MSBuild.exe PID 1204 wrote to memory of 1036 1204 Inquiry Copy.exe MSBuild.exe PID 1036 wrote to memory of 1860 1036 MSBuild.exe netsh.exe PID 1036 wrote to memory of 1860 1036 MSBuild.exe netsh.exe PID 1036 wrote to memory of 1860 1036 MSBuild.exe netsh.exe PID 1036 wrote to memory of 1860 1036 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquiry Copy.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry Copy.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ttACusphqnbFa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9877.tmpMD5
3d856782f8b077cfdec30afdb8dea00b
SHA16810a4defa1cf7df7ad7aa5e3f8e87e8e6fbab8c
SHA2568ba60adb8e2c21090088efa4e978a25a6b45bc16e217f4a4adb7d841a8cc815b
SHA51250f62d0616d2f83ce0aa1db86e73195b6686734ec13bba6f7e8a7e799c56a436b0e5fe7616e7ebd8e0c6d2fe72eb1e35a54ab39856b979314cf259919759a518
-
memory/480-2-0x0000000000000000-mapping.dmp
-
memory/1036-4-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1036-5-0x000000000044CB2E-mapping.dmp
-
memory/1036-6-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1036-7-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1204-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1860-8-0x0000000000000000-mapping.dmp