Analysis
-
max time kernel
129s -
max time network
132s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 06:39
Static task
static1
Behavioral task
behavioral1
Sample
407414fb84a4bcd7a73836f31162a80d.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
407414fb84a4bcd7a73836f31162a80d.exe
Resource
win10
General
-
Target
407414fb84a4bcd7a73836f31162a80d.exe
-
Size
413KB
-
MD5
407414fb84a4bcd7a73836f31162a80d
-
SHA1
c0bfb679fe2d247a1de30aa2758fbbf371ec1272
-
SHA256
eb2e619a6b39f4b2024b68cc87c58d81eed6a7ae1177ac020c01c71b2c908809
-
SHA512
ae2e4a265d126413c5eb2267fc3f521e630c021d1a27665a0875df7b5cd451398ff42bd456ed974413e23535d4f046fffb8b22009c898214be317ccb32159e79
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
lu.baorong@ivqspa.com - Password:
HEoxefZ9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3868-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/3868-3-0x000000000044795E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe" 407414fb84a4bcd7a73836f31162a80d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exedescription pid process target process PID 3104 set thread context of 3868 3104 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exepid process 3868 407414fb84a4bcd7a73836f31162a80d.exe 3868 407414fb84a4bcd7a73836f31162a80d.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exepid process 3868 407414fb84a4bcd7a73836f31162a80d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exedescription pid process Token: SeDebugPrivilege 3868 407414fb84a4bcd7a73836f31162a80d.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
407414fb84a4bcd7a73836f31162a80d.exedescription pid process target process PID 3104 wrote to memory of 3964 3104 407414fb84a4bcd7a73836f31162a80d.exe schtasks.exe PID 3104 wrote to memory of 3964 3104 407414fb84a4bcd7a73836f31162a80d.exe schtasks.exe PID 3104 wrote to memory of 3964 3104 407414fb84a4bcd7a73836f31162a80d.exe schtasks.exe PID 3104 wrote to memory of 3868 3104 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 3104 wrote to memory of 3868 3104 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 3104 wrote to memory of 3868 3104 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 3104 wrote to memory of 3868 3104 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 3104 wrote to memory of 3868 3104 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 3104 wrote to memory of 3868 3104 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 3104 wrote to memory of 3868 3104 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe PID 3104 wrote to memory of 3868 3104 407414fb84a4bcd7a73836f31162a80d.exe 407414fb84a4bcd7a73836f31162a80d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\407414fb84a4bcd7a73836f31162a80d.exe"C:\Users\Admin\AppData\Local\Temp\407414fb84a4bcd7a73836f31162a80d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UHEokKme" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E96.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\407414fb84a4bcd7a73836f31162a80d.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\407414fb84a4bcd7a73836f31162a80d.exe.logMD5
3753b01eddc20f64178eaf3d55b5c146
SHA1ca50665940eb8519e1df0c1f185fb72a271c2a66
SHA25699096651b1d9b4a7562f56c8e42c06d1166f7f22a93816e2862317ada8154b37
SHA512566366e651e94fab25454fb0199508cd62a64723137b32fbd5bee531110403d9194b9a4fc053740c571a69e820c1c72e48d65fc3a5410a22b6ae9d2e55508bf3
-
C:\Users\Admin\AppData\Local\Temp\tmp5E96.tmpMD5
8e2206e24ca267b177b95cff805e8c74
SHA17e9ca69e61512bf0551a969ac4e98868b326c5fc
SHA256abb27bda0d75fe63460ff988e889e8c97a4df9847418a03a507573b033b4944c
SHA512901e4cf440c0d1dbc9593c2935be43c3080a0a335fa4b8888bd984b71960ed6202e19f0ddbaecd2f0ca3352dff474f11b18ad9719207c3ae56fa06a6e81c8edc
-
memory/3868-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3868-3-0x000000000044795E-mapping.dmp
-
memory/3964-0-0x0000000000000000-mapping.dmp