Analysis
-
max time kernel
85s -
max time network
62s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:52
Static task
static1
Behavioral task
behavioral1
Sample
order587458.exe
Resource
win7
Behavioral task
behavioral2
Sample
order587458.exe
Resource
win10
General
-
Target
order587458.exe
-
Size
408KB
-
MD5
f4305f4e50460977b0ff2431b9757439
-
SHA1
17742bda937de344a656ac5b743456b466ad8e6b
-
SHA256
4c72144a1bf6af1702d13a66880820fb987125f63216a40e627ad963b85eeb39
-
SHA512
b36d6a4ba3e98d398b4001862036fc1080ef52b7898bcec50fd2d0e43957aa7c44f3395e222bd1bec8b0cf95cdacac5e2b4d556535f42669f5c56a55e99fe3f7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
j.koskela@yandex.com - Password:
voice5&&*489
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/784-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/784-5-0x0000000000446C8E-mapping.dmp family_agenttesla behavioral1/memory/784-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/784-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
order587458.exedescription pid process target process PID 1088 set thread context of 784 1088 order587458.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
order587458.exeRegSvcs.exepid process 1088 order587458.exe 784 RegSvcs.exe 784 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
order587458.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1088 order587458.exe Token: SeDebugPrivilege 784 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 784 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
order587458.exedescription pid process target process PID 1088 wrote to memory of 1492 1088 order587458.exe schtasks.exe PID 1088 wrote to memory of 1492 1088 order587458.exe schtasks.exe PID 1088 wrote to memory of 1492 1088 order587458.exe schtasks.exe PID 1088 wrote to memory of 1492 1088 order587458.exe schtasks.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe PID 1088 wrote to memory of 784 1088 order587458.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\order587458.exe"C:\Users\Admin\AppData\Local\Temp\order587458.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nkaqFYsJopyNk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E53.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7E53.tmpMD5
f46a462c5ad93a56f95d5af1f4905337
SHA1a7489ebf3fa8f8324bf322d18b4aee6edcb453cc
SHA256806cd9e0f028d2eec94b120bf66f9086661d03325b70423acb258ced0efefb05
SHA5120f09d59d0986082b10779aebe0efbc5a1a56f59dfa36ab4a374d93950e1719e690b4a2a6b29a886df5dd16470ca7b8166fb7794b7b1190c34b53e66c945a4da0
-
memory/784-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/784-5-0x0000000000446C8E-mapping.dmp
-
memory/784-6-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/784-7-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1088-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1492-2-0x0000000000000000-mapping.dmp