Analysis
-
max time kernel
150s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07/07/2020, 10:53
Static task
static1
Behavioral task
behavioral1
Sample
PO 321134.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PO 321134.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
PO 321134.exe
-
Size
1.1MB
-
MD5
7b2934d2e00efcb5d5dd7ea10c29da17
-
SHA1
710fd63edc49f1d74a714398674400254b76574e
-
SHA256
abf8160dd66f87903ba311f77da9f6b5c66538ffd5eedc9555a46369a6917b27
-
SHA512
1f543a60f91238b97133794dec53d447e1f66952aecab6e754d45bae637412d9eaf2fe38f09dd1efe09f562ee31a46eebb6500775203ae98d5216b07ab94d6ed
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.mail.com - Port:
587 - Username:
[email protected] - Password:
UCHE123456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/1792-11-0x00000000003A0000-0x0000000000AF2000-memory.dmp family_agenttesla behavioral1/memory/1792-12-0x00000000003ED54E-mapping.dmp family_agenttesla behavioral1/memory/1792-14-0x00000000003A0000-0x0000000000AF2000-memory.dmp family_agenttesla behavioral1/memory/1792-15-0x00000000003A0000-0x0000000000AF2000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
pid Process 1524 ngeih.pif 1792 RegSvcs.exe -
Loads dropped DLL 5 IoCs
pid Process 1356 PO 321134.exe 1356 PO 321134.exe 1356 PO 321134.exe 1356 PO 321134.exe 1524 ngeih.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ngeih.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\file.exe = "c:\\16437174\\ngeih.pif c:\\16437174\\apgxijq.tun" ngeih.pif -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1524 set thread context of 1792 1524 ngeih.pif 25 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1792 RegSvcs.exe 1792 RegSvcs.exe 1524 ngeih.pif 1792 RegSvcs.exe 1792 RegSvcs.exe 1792 RegSvcs.exe 1792 RegSvcs.exe 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1792 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1792 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1356 wrote to memory of 1524 1356 PO 321134.exe 24 PID 1356 wrote to memory of 1524 1356 PO 321134.exe 24 PID 1356 wrote to memory of 1524 1356 PO 321134.exe 24 PID 1356 wrote to memory of 1524 1356 PO 321134.exe 24 PID 1524 wrote to memory of 1792 1524 ngeih.pif 25 PID 1524 wrote to memory of 1792 1524 ngeih.pif 25 PID 1524 wrote to memory of 1792 1524 ngeih.pif 25 PID 1524 wrote to memory of 1792 1524 ngeih.pif 25 PID 1524 wrote to memory of 1792 1524 ngeih.pif 25 PID 1524 wrote to memory of 1792 1524 ngeih.pif 25 PID 1524 wrote to memory of 1792 1524 ngeih.pif 25 PID 1524 wrote to memory of 1792 1524 ngeih.pif 25 PID 1524 wrote to memory of 1792 1524 ngeih.pif 25 PID 1792 wrote to memory of 1928 1792 RegSvcs.exe 29 PID 1792 wrote to memory of 1928 1792 RegSvcs.exe 29 PID 1792 wrote to memory of 1928 1792 RegSvcs.exe 29 PID 1792 wrote to memory of 1928 1792 RegSvcs.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 321134.exe"C:\Users\Admin\AppData\Local\Temp\PO 321134.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\16437174\ngeih.pif"C:\16437174\ngeih.pif" apgxijq.tun2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile4⤵PID:1928
-
-
-