Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 06:31
Static task
static1
Behavioral task
behavioral1
Sample
TRM76EWDS.com.exe
Resource
win7
Behavioral task
behavioral2
Sample
TRM76EWDS.com.exe
Resource
win10
General
-
Target
TRM76EWDS.com.exe
-
Size
401KB
-
MD5
fa54db10aba75c0b629fea0c37e64de3
-
SHA1
931097d1be9092432b8ebb04c0a96f36060aa7ea
-
SHA256
052148f226d2b1e51ca7318eacda6906765138d2e28b290558a2b7003e9f6634
-
SHA512
c2e43e5eecc0bcb99ce08a3ffae9bd80867ad48ffd20f00c949f5d28d04677f1744edcd8f7a93efa78a512b5e62cd25ca59413078a845a5f5ba9c2ae62b4024e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
dubemlogszz@lascostoolsc.xyz - Password:
dubem@4000XAXAX
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1536-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1536-1-0x00000000004474DE-mapping.dmp family_agenttesla behavioral1/memory/1536-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1536-3-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TRM76EWDS.com.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TRM76EWDS.com.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TRM76EWDS.com.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZAXVpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZAXVpp\\ZAXVpp.exe" RegSvcs.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
TRM76EWDS.com.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 TRM76EWDS.com.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum TRM76EWDS.com.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TRM76EWDS.com.exedescription pid process target process PID 1448 set thread context of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1536 RegSvcs.exe 1536 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1536 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
TRM76EWDS.com.exedescription pid process target process PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe PID 1448 wrote to memory of 1536 1448 TRM76EWDS.com.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TRM76EWDS.com.exe"C:\Users\Admin\AppData\Local\Temp\TRM76EWDS.com.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1536-0-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1536-1-0x00000000004474DE-mapping.dmp
-
memory/1536-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1536-3-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB