Analysis
-
max time kernel
137s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 05:45
Static task
static1
Behavioral task
behavioral1
Sample
PO-O3465-0001.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
PO-O3465-0001.exe
Resource
win10v200430
General
-
Target
PO-O3465-0001.exe
-
Size
975KB
-
MD5
ce45ecba9cbb43f9119e0e37d869028d
-
SHA1
ae42201cdb5edf87502b81a4feedac7de0dc4ce2
-
SHA256
6fe2e83b790e28078c73669c1eff1e47bb1f8178d58535f638c5f2f561ff496b
-
SHA512
ca82862782029b4580cce8feee4d71a358c2a29da642ebbeae7805527ed347d6473ddcb06fb3e9d948e2b88cd258ccc48c182dc959cf5992f4091e3a84a3304b
Malware Config
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
1234567890Bless#
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
1234567890Bless#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2832-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/2832-3-0x0000000000446D6E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO-O3465-0001.exedescription pid process target process PID 3944 set thread context of 2832 3944 PO-O3465-0001.exe PO-O3465-0001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
PO-O3465-0001.exePO-O3465-0001.exepid process 3944 PO-O3465-0001.exe 3944 PO-O3465-0001.exe 3944 PO-O3465-0001.exe 3944 PO-O3465-0001.exe 3944 PO-O3465-0001.exe 3944 PO-O3465-0001.exe 3944 PO-O3465-0001.exe 2832 PO-O3465-0001.exe 2832 PO-O3465-0001.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO-O3465-0001.exePO-O3465-0001.exedescription pid process Token: SeDebugPrivilege 3944 PO-O3465-0001.exe Token: SeDebugPrivilege 2832 PO-O3465-0001.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PO-O3465-0001.exepid process 2832 PO-O3465-0001.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
PO-O3465-0001.exedescription pid process target process PID 3944 wrote to memory of 2116 3944 PO-O3465-0001.exe schtasks.exe PID 3944 wrote to memory of 2116 3944 PO-O3465-0001.exe schtasks.exe PID 3944 wrote to memory of 2116 3944 PO-O3465-0001.exe schtasks.exe PID 3944 wrote to memory of 2700 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2700 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2700 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2728 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2728 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2728 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2808 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2808 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2808 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2832 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2832 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2832 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2832 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2832 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2832 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2832 3944 PO-O3465-0001.exe PO-O3465-0001.exe PID 3944 wrote to memory of 2832 3944 PO-O3465-0001.exe PO-O3465-0001.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe"C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eGJucvKQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E66.tmp"2⤵
- Creates scheduled task(s)
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe"{path}"2⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe"{path}"2⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe"{path}"2⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
60374c47529939dfcb3337bc88ad83ac
SHA1186a7a9ba4c529873946a193f88c593040c29bad
SHA256661bdb8b0e7b88c3700d483651a2b24e6b7e8cdcd847c8766e19ab4b74b8b5de
SHA51205583b1b0859cb7953e7a1793474d32c16f531b896b67d91df442339ada296bb246c733da96233b0dec899b5cae5d4bed613d076665c9cedd71fdc5b7ad48cbb
-
MD5
4aeba88728f9db1083a2abd423ad9e35
SHA1f4d1d91acca694168a49fca93cf37887836ca944
SHA25679b516ed85c8acb3bfaa22028dd38008e2452ef3d4d5e77a94786ffa2792effe
SHA51223d7808f405c01eaff8c72355b90198a01fd204d9098ca3e3b3a17598b9fc95da37dc611545e15d56a35dc8fb4928b3658dc1edf34da3197f1d25deded522298