Analysis
-
max time kernel
119s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
29-06-2020 18:08
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
PO.exe
Resource
win10
General
-
Target
PO.exe
-
Size
435KB
-
MD5
28159c2ff019251165e9d2ada70be08e
-
SHA1
94cbca8d04f668b0a3d71053077ebfe30b713530
-
SHA256
404d422ffb09a4f24ad333ccdd211d0eb2ea84b650f095baadf3443fb6deb7b1
-
SHA512
ba0f192b535a992f609028e34d2764245827a28f02f19f0ef43b6c37152b4d177353b04e372d3c48257f44fa864b25954a25b8d560e22392ba3edb610361c35f
Malware Config
Extracted
Protocol: smtp- Host:
smtp.condeunt.com - Port:
587 - Username:
arqueries.singapore@condeunt.com - Password:
EM(ufuT3
Signatures
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PO.exeRegSvcs.exedescription pid process target process PID 3384 wrote to memory of 540 3384 PO.exe schtasks.exe PID 3384 wrote to memory of 540 3384 PO.exe schtasks.exe PID 3384 wrote to memory of 540 3384 PO.exe schtasks.exe PID 3384 wrote to memory of 648 3384 PO.exe RegSvcs.exe PID 3384 wrote to memory of 648 3384 PO.exe RegSvcs.exe PID 3384 wrote to memory of 648 3384 PO.exe RegSvcs.exe PID 3384 wrote to memory of 648 3384 PO.exe RegSvcs.exe PID 3384 wrote to memory of 648 3384 PO.exe RegSvcs.exe PID 3384 wrote to memory of 648 3384 PO.exe RegSvcs.exe PID 3384 wrote to memory of 648 3384 PO.exe RegSvcs.exe PID 3384 wrote to memory of 648 3384 PO.exe RegSvcs.exe PID 648 wrote to memory of 1908 648 RegSvcs.exe REG.exe PID 648 wrote to memory of 1908 648 RegSvcs.exe REG.exe PID 648 wrote to memory of 1908 648 RegSvcs.exe REG.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 3384 set thread context of 648 3384 PO.exe RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 648 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 648 RegSvcs.exe 648 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies registry key 1 TTPs 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YchbTZZKkVZKFJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF085.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / v NoRun / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF085.tmp
-
memory/540-0-0x0000000000000000-mapping.dmp
-
memory/648-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/648-3-0x0000000000446DDE-mapping.dmp
-
memory/1908-4-0x0000000000000000-mapping.dmp