Analysis
-
max time kernel
150s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 10:53
Static task
static1
Behavioral task
behavioral1
Sample
PO 321134.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
PO 321134.exe
Resource
win10
General
-
Target
PO 321134.exe
-
Size
1.1MB
-
MD5
7b2934d2e00efcb5d5dd7ea10c29da17
-
SHA1
710fd63edc49f1d74a714398674400254b76574e
-
SHA256
abf8160dd66f87903ba311f77da9f6b5c66538ffd5eedc9555a46369a6917b27
-
SHA512
1f543a60f91238b97133794dec53d447e1f66952aecab6e754d45bae637412d9eaf2fe38f09dd1efe09f562ee31a46eebb6500775203ae98d5216b07ab94d6ed
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.com - Port:
587 - Username:
[email protected] - Password:
UCHE123456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1792-11-0x00000000003A0000-0x0000000000AF2000-memory.dmp family_agenttesla behavioral1/memory/1792-12-0x00000000003ED54E-mapping.dmp family_agenttesla behavioral1/memory/1792-14-0x00000000003A0000-0x0000000000AF2000-memory.dmp family_agenttesla behavioral1/memory/1792-15-0x00000000003A0000-0x0000000000AF2000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
ngeih.pifRegSvcs.exepid process 1524 ngeih.pif 1792 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
PO 321134.exengeih.pifpid process 1356 PO 321134.exe 1356 PO 321134.exe 1356 PO 321134.exe 1356 PO 321134.exe 1524 ngeih.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ngeih.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ngeih.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\file.exe = "c:\\16437174\\ngeih.pif c:\\16437174\\apgxijq.tun" ngeih.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ngeih.pifdescription pid process target process PID 1524 set thread context of 1792 1524 ngeih.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ngeih.pifRegSvcs.exepid process 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1792 RegSvcs.exe 1792 RegSvcs.exe 1524 ngeih.pif 1792 RegSvcs.exe 1792 RegSvcs.exe 1792 RegSvcs.exe 1792 RegSvcs.exe 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif 1524 ngeih.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1792 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1792 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PO 321134.exengeih.pifRegSvcs.exedescription pid process target process PID 1356 wrote to memory of 1524 1356 PO 321134.exe ngeih.pif PID 1356 wrote to memory of 1524 1356 PO 321134.exe ngeih.pif PID 1356 wrote to memory of 1524 1356 PO 321134.exe ngeih.pif PID 1356 wrote to memory of 1524 1356 PO 321134.exe ngeih.pif PID 1524 wrote to memory of 1792 1524 ngeih.pif RegSvcs.exe PID 1524 wrote to memory of 1792 1524 ngeih.pif RegSvcs.exe PID 1524 wrote to memory of 1792 1524 ngeih.pif RegSvcs.exe PID 1524 wrote to memory of 1792 1524 ngeih.pif RegSvcs.exe PID 1524 wrote to memory of 1792 1524 ngeih.pif RegSvcs.exe PID 1524 wrote to memory of 1792 1524 ngeih.pif RegSvcs.exe PID 1524 wrote to memory of 1792 1524 ngeih.pif RegSvcs.exe PID 1524 wrote to memory of 1792 1524 ngeih.pif RegSvcs.exe PID 1524 wrote to memory of 1792 1524 ngeih.pif RegSvcs.exe PID 1792 wrote to memory of 1928 1792 RegSvcs.exe netsh.exe PID 1792 wrote to memory of 1928 1792 RegSvcs.exe netsh.exe PID 1792 wrote to memory of 1928 1792 RegSvcs.exe netsh.exe PID 1792 wrote to memory of 1928 1792 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 321134.exe"C:\Users\Admin\AppData\Local\Temp\PO 321134.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\16437174\ngeih.pif"C:\16437174\ngeih.pif" apgxijq.tun2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile4⤵PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f9abf79021373c60056060a00043855a
SHA1bc602c553ffb77d834beb069198423b78a7ad718
SHA2569435c52fcfff1125672fb5f944b57b77480dff5a544258648de61d44564c1aee
SHA5121c230eafad2453159372aa48e4c4b9cf64390252c7c7909650afcbf54decf4ed972a158e031a730ede42dac528e4eb3b2d08121d9ab381e6fb2773810efff621
-
MD5
4ec9307234d07344028a83ee64f33ac1
SHA1f4d514d4ca54b1d9340ec0edd904dfa306684026
SHA2560c6397ebd0743bde3b6e2b88acc70554170f3580e629a62f6c5c1bf159c5e0a8
SHA5120d10a8fe29af44f6e69dc7a09e5252c233562017908443ca94a303b024c686d8010519f084c013525d7604b2a72a88bd02c0c90d15bcb1be565be574caec4995
-
MD5
4e9488deb23ac8ecc3ac404b04134c18
SHA11a1b28bb37e60ce7d68976b6b8f017280fe35302
SHA25669685fb82980c4c5a23ece8272076628466c16e955d14ec5fbd6be4afa907dfb
SHA512d3772c5b6f62bf2c74afde047b83f0fc4a0c34da25d264d4f9e9d1ae957747d66971ccecaf37355cc41e82d440fc4446d167825caa2b458d50d4a7852745a0de
-
MD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
MD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
MD5
4e9488deb23ac8ecc3ac404b04134c18
SHA11a1b28bb37e60ce7d68976b6b8f017280fe35302
SHA25669685fb82980c4c5a23ece8272076628466c16e955d14ec5fbd6be4afa907dfb
SHA512d3772c5b6f62bf2c74afde047b83f0fc4a0c34da25d264d4f9e9d1ae957747d66971ccecaf37355cc41e82d440fc4446d167825caa2b458d50d4a7852745a0de
-
MD5
4e9488deb23ac8ecc3ac404b04134c18
SHA11a1b28bb37e60ce7d68976b6b8f017280fe35302
SHA25669685fb82980c4c5a23ece8272076628466c16e955d14ec5fbd6be4afa907dfb
SHA512d3772c5b6f62bf2c74afde047b83f0fc4a0c34da25d264d4f9e9d1ae957747d66971ccecaf37355cc41e82d440fc4446d167825caa2b458d50d4a7852745a0de
-
MD5
4e9488deb23ac8ecc3ac404b04134c18
SHA11a1b28bb37e60ce7d68976b6b8f017280fe35302
SHA25669685fb82980c4c5a23ece8272076628466c16e955d14ec5fbd6be4afa907dfb
SHA512d3772c5b6f62bf2c74afde047b83f0fc4a0c34da25d264d4f9e9d1ae957747d66971ccecaf37355cc41e82d440fc4446d167825caa2b458d50d4a7852745a0de
-
MD5
4e9488deb23ac8ecc3ac404b04134c18
SHA11a1b28bb37e60ce7d68976b6b8f017280fe35302
SHA25669685fb82980c4c5a23ece8272076628466c16e955d14ec5fbd6be4afa907dfb
SHA512d3772c5b6f62bf2c74afde047b83f0fc4a0c34da25d264d4f9e9d1ae957747d66971ccecaf37355cc41e82d440fc4446d167825caa2b458d50d4a7852745a0de
-
MD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215