Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 12:13
Static task
static1
Behavioral task
behavioral1
Sample
inquiry.exe
Resource
win7
Behavioral task
behavioral2
Sample
inquiry.exe
Resource
win10v200430
General
-
Target
inquiry.exe
-
Size
1.1MB
-
MD5
634229321696c6c4eeea45af54e0bcb2
-
SHA1
2f7181695e47f139f773795e41f56f69a1fa0b6f
-
SHA256
69f0daa863cb586a1e2b00b6335bc69f7f06615b44b2f81bb5445d6912f6a80e
-
SHA512
29427229aa3ef9304b729f9c19eeb58f6c954c5b5c7e37e07194e2031797544768a52097329f2258278a1bb1b4336c63c3b1bee76df4ca42a5f839be2fc77e38
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
jerryedward1@yandex.ru - Password:
enugu042
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2860-7-0x0000000001300000-0x00000000017D7000-memory.dmp family_agenttesla behavioral2/memory/2860-8-0x000000000134693E-mapping.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
avkted.pifRegSvcs.exepid process 2080 avkted.pif 2860 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
avkted.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run avkted.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\file.exe = "c:\\93830104\\avkted.pif c:\\93830104\\jaqp.crh" avkted.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
avkted.pifdescription pid process target process PID 2080 set thread context of 2860 2080 avkted.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
avkted.pifRegSvcs.exepid process 2080 avkted.pif 2080 avkted.pif 2860 RegSvcs.exe 2860 RegSvcs.exe 2860 RegSvcs.exe 2860 RegSvcs.exe 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2860 RegSvcs.exe 2860 RegSvcs.exe 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif 2080 avkted.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2860 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2860 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
inquiry.exeavkted.pifdescription pid process target process PID 756 wrote to memory of 2080 756 inquiry.exe avkted.pif PID 756 wrote to memory of 2080 756 inquiry.exe avkted.pif PID 756 wrote to memory of 2080 756 inquiry.exe avkted.pif PID 2080 wrote to memory of 2860 2080 avkted.pif RegSvcs.exe PID 2080 wrote to memory of 2860 2080 avkted.pif RegSvcs.exe PID 2080 wrote to memory of 2860 2080 avkted.pif RegSvcs.exe PID 2080 wrote to memory of 2860 2080 avkted.pif RegSvcs.exe PID 2080 wrote to memory of 2860 2080 avkted.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\inquiry.exe"C:\Users\Admin\AppData\Local\Temp\inquiry.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\93830104\avkted.pif"C:\93830104\avkted.pif" jaqp.crh2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\93830104\avkted.pifMD5
8939087523c8c4815680f11d1a29a2bf
SHA10159ea905c98f9ac82f8191b5af7a982d39e1e6d
SHA25611d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551
SHA512b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735
-
C:\93830104\avkted.pifMD5
8939087523c8c4815680f11d1a29a2bf
SHA10159ea905c98f9ac82f8191b5af7a982d39e1e6d
SHA25611d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551
SHA512b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735
-
C:\93830104\jaqp.crhMD5
cba6948c65ddd3dd65fb1ef22b384d82
SHA1ceff2c33154bfb3eadbf4d130399a5f7672911dd
SHA256bad871c11892d6b5665833f57de5763e4c72ccafb4abfc0ecab2a7ea250b46d5
SHA51246cf48c14d29f15496a6d27e0fb0c29f9d130e92edc4d6ef116999f1e327cd6b2282b00758c16e797560fe3f1f484ea461d7e16dd7e7e224a7c2e3208cd674f4
-
C:\93830104\ungosat.txtMD5
f40738e0b4cbc5c47bfa39b05fee31c8
SHA1833b4d3c56c480924c95518cc918722a81c1499e
SHA25684c1bf3fc2cbb51d69a2d7b6a23dcc198c7f5a1883fec1fee7698b8afc4123a8
SHA5122df7ca9fa499f209f65e7b723992b398e257c3dc92e458234959f2740cf3bbc060d5e2ee5dbd1858f8298ae1a6192b194fa5d45797af008c71b6e6bec1318ec2
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/2080-2-0x0000000000000000-mapping.dmp
-
memory/2860-7-0x0000000001300000-0x00000000017D7000-memory.dmpFilesize
4.8MB
-
memory/2860-8-0x000000000134693E-mapping.dmp