Analysis
-
max time kernel
151s -
max time network
83s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 06:39
Static task
static1
Behavioral task
behavioral1
Sample
407414fb84a4bcd7a73836f31162a80d.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
407414fb84a4bcd7a73836f31162a80d.exe
Resource
win10
General
-
Target
407414fb84a4bcd7a73836f31162a80d.exe
-
Size
413KB
-
MD5
407414fb84a4bcd7a73836f31162a80d
-
SHA1
c0bfb679fe2d247a1de30aa2758fbbf371ec1272
-
SHA256
eb2e619a6b39f4b2024b68cc87c58d81eed6a7ae1177ac020c01c71b2c908809
-
SHA512
ae2e4a265d126413c5eb2267fc3f521e630c021d1a27665a0875df7b5cd451398ff42bd456ed974413e23535d4f046fffb8b22009c898214be317ccb32159e79
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
lu.baorong@ivqspa.com - Password:
HEoxefZ9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1740-3-0x000000000044795E-mapping.dmp family_agenttesla behavioral1/memory/1740-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1740-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe" 407414fb84a4bcd7a73836f31162a80d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exedescription pid process target process PID 1296 set thread context of 1740 1296 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exepid process 1740 407414fb84a4bcd7a73836f31162a80d.exe 1740 407414fb84a4bcd7a73836f31162a80d.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exepid process 1740 407414fb84a4bcd7a73836f31162a80d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exedescription pid process Token: SeDebugPrivilege 1740 407414fb84a4bcd7a73836f31162a80d.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exedescription pid process target process PID 1296 wrote to memory of 1336 1296 407414fb84a4bcd7a73836f31162a80d.exe schtasks.exe PID 1296 wrote to memory of 1336 1296 407414fb84a4bcd7a73836f31162a80d.exe schtasks.exe PID 1296 wrote to memory of 1336 1296 407414fb84a4bcd7a73836f31162a80d.exe schtasks.exe PID 1296 wrote to memory of 1336 1296 407414fb84a4bcd7a73836f31162a80d.exe schtasks.exe PID 1296 wrote to memory of 1740 1296 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 1296 wrote to memory of 1740 1296 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 1296 wrote to memory of 1740 1296 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 1296 wrote to memory of 1740 1296 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 1296 wrote to memory of 1740 1296 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 1296 wrote to memory of 1740 1296 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 1296 wrote to memory of 1740 1296 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 1296 wrote to memory of 1740 1296 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 1296 wrote to memory of 1740 1296 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\407414fb84a4bcd7a73836f31162a80d.exe"C:\Users\Admin\AppData\Local\Temp\407414fb84a4bcd7a73836f31162a80d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UHEokKme" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\407414fb84a4bcd7a73836f31162a80d.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8C6.tmpMD5
a6a6d280e1fff6dfb9c6dc7af32e85c0
SHA16ea2238b179be618c90952a8994e0ea0252457ab
SHA256cb3435003618cb767043f5d9d82c2afe92c19b000a5b8fbee7a7e3533c1a2ab9
SHA51209b2ad22e366ec9e86ee55e3a1784b85134db30b9f02de1ac8a7fdd5b8b3ff8da579e9ef104ec93d8d87ebf5177a78aa7dde99082955ce63d89b2650f86cad13
-
memory/1336-0-0x0000000000000000-mapping.dmp
-
memory/1740-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1740-3-0x000000000044795E-mapping.dmp
-
memory/1740-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1740-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB