Analysis

  • max time kernel
    137s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    07-07-2020 05:45

General

  • Target

    PO-O3465-0001.exe

  • Size

    975KB

  • MD5

    ce45ecba9cbb43f9119e0e37d869028d

  • SHA1

    ae42201cdb5edf87502b81a4feedac7de0dc4ce2

  • SHA256

    6fe2e83b790e28078c73669c1eff1e47bb1f8178d58535f638c5f2f561ff496b

  • SHA512

    ca82862782029b4580cce8feee4d71a358c2a29da642ebbeae7805527ed347d6473ddcb06fb3e9d948e2b88cd258ccc48c182dc959cf5992f4091e3a84a3304b

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    1234567890Bless#

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    1234567890Bless#

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eGJucvKQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E66.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2116
    • C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe
      "{path}"
      2⤵
        PID:2700
      • C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe
        "{path}"
        2⤵
          PID:2728
        • C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe
          "{path}"
          2⤵
            PID:2808
          • C:\Users\Admin\AppData\Local\Temp\PO-O3465-0001.exe
            "{path}"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2832

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PO-O3465-0001.exe.log

          MD5

          60374c47529939dfcb3337bc88ad83ac

          SHA1

          186a7a9ba4c529873946a193f88c593040c29bad

          SHA256

          661bdb8b0e7b88c3700d483651a2b24e6b7e8cdcd847c8766e19ab4b74b8b5de

          SHA512

          05583b1b0859cb7953e7a1793474d32c16f531b896b67d91df442339ada296bb246c733da96233b0dec899b5cae5d4bed613d076665c9cedd71fdc5b7ad48cbb

        • C:\Users\Admin\AppData\Local\Temp\tmp3E66.tmp

          MD5

          4aeba88728f9db1083a2abd423ad9e35

          SHA1

          f4d1d91acca694168a49fca93cf37887836ca944

          SHA256

          79b516ed85c8acb3bfaa22028dd38008e2452ef3d4d5e77a94786ffa2792effe

          SHA512

          23d7808f405c01eaff8c72355b90198a01fd204d9098ca3e3b3a17598b9fc95da37dc611545e15d56a35dc8fb4928b3658dc1edf34da3197f1d25deded522298

        • memory/2116-0-0x0000000000000000-mapping.dmp

        • memory/2832-2-0x0000000000400000-0x000000000044C000-memory.dmp

          Filesize

          304KB

        • memory/2832-3-0x0000000000446D6E-mapping.dmp