Overview

overview

10

Static

static

978905601.msi

windows7_x64

10

978905601.msi

windows10_x64

8

Analysis

  • max time kernel
    109s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    30-06-2020 12:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    978905601.msi

  • Size

    464KB

  • MD5

    f2eaec2d18d76621ed844a1877dc360f

  • SHA1

    dde6b3b51bb85fcc964201b6cdb183ca9704b81c

  • SHA256

    15c7aaf96e773849126a63a0c6b567cd27825fe56ebe262098dc56c69432b531

  • SHA512

    9f37b6f8a924bb68a72c5b94cd497e9fb729878fa8239f60a7dbff11068b40fb98db487fb4111201542478e0244e1d8e17cc3a3ab03230bc486b65bf2863f712

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    baso.elcx@yandex.com
  • Password:
    HYF76io83%$6

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\978905601.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1100
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\Installer\MSIAA63.tmp
      "C:\Windows\Installer\MSIAA63.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qzoutxtRkpOte" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48D2.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1624
      • C:\Windows\Installer\MSIAA63.tmp
        "{path}"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1608
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1520
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005A8" "00000000000005A0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp48D2.tmp
    MD5

    7e8548bd762b1f9d1568a44e264b501f

    SHA1

    0add977fde3ee668be7f7b178f5f42818f7a00e7

    SHA256

    90ef6e5f0ba092f888ae12bb20b4a31646cb7f1f9829c105db1a05ea8132b1f6

    SHA512

    ea3855c76785d504577b39812d10054d52fd33fb489b71f5ddc251f1dfe0b59f97637f5b42e0b3c20e2f25bd6c28a138a246233f8843b7340aca19e50707c3cc

    Download Submit
  • C:\Windows\Installer\MSIAA63.tmp
    MD5

    f2aa5fdc289dc5b0114ec277eeac0435

    SHA1

    1e4cab1ad8e614b37ea1cd4c67a8c862ed6e2603

    SHA256

    63b1cf89f89039c8f21f26f08e8724d6576e66edd8533e02fb4c149a8dff15c1

    SHA512

    bfdb2509b7d44aac5531bf1afd8d84a886a6a4c30df50bf555eea5178fe7c1b1a1d48d6c8e716147959f2201a1604776e22230923f053a1cc10a8f7c49f5a495

    Download Submit
  • C:\Windows\Installer\MSIAA63.tmp
    MD5

    f2aa5fdc289dc5b0114ec277eeac0435

    SHA1

    1e4cab1ad8e614b37ea1cd4c67a8c862ed6e2603

    SHA256

    63b1cf89f89039c8f21f26f08e8724d6576e66edd8533e02fb4c149a8dff15c1

    SHA512

    bfdb2509b7d44aac5531bf1afd8d84a886a6a4c30df50bf555eea5178fe7c1b1a1d48d6c8e716147959f2201a1604776e22230923f053a1cc10a8f7c49f5a495

    Download Submit
  • C:\Windows\Installer\MSIAA63.tmp
    MD5

    f2aa5fdc289dc5b0114ec277eeac0435

    SHA1

    1e4cab1ad8e614b37ea1cd4c67a8c862ed6e2603

    SHA256

    63b1cf89f89039c8f21f26f08e8724d6576e66edd8533e02fb4c149a8dff15c1

    SHA512

    bfdb2509b7d44aac5531bf1afd8d84a886a6a4c30df50bf555eea5178fe7c1b1a1d48d6c8e716147959f2201a1604776e22230923f053a1cc10a8f7c49f5a495

    Download Submit
  • memory/560-64-0x0000000000000000-0x0000000000000000-disk.dmp
    Download
  • memory/560-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1100-1-0x00000000040A0000-0x00000000040A4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1100-78-0x00000000022B0000-0x00000000022B4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1100-0-0x00000000032B0000-0x00000000032B4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1312-7-0x0000000000700000-0x0000000000704000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1312-5-0x0000000001140000-0x0000000001144000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1312-9-0x0000000000700000-0x0000000000704000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1312-3-0x00000000004D0000-0x00000000004D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1312-6-0x0000000000700000-0x0000000000704000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1312-77-0x0000000004630000-0x0000000004634000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1312-76-0x0000000001140000-0x0000000001144000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1312-58-0x0000000002D60000-0x0000000002D80000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1312-75-0x0000000004630000-0x0000000004634000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1608-71-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1608-70-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1608-68-0x0000000000446DEE-mapping.dmp
    Download
  • memory/1608-67-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1624-65-0x0000000000000000-mapping.dmp
    Download