Analysis
-
max time kernel
138s -
max time network
32s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 05:39
Static task
static1
Behavioral task
behavioral1
Sample
cotización.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
cotización.exe
Resource
win10
General
-
Target
cotización.exe
-
Size
553KB
-
MD5
24c35b47082e767b4ac22680441e832f
-
SHA1
dc2d57055bbcd9378d81944d8f599d036df64d30
-
SHA256
c01753dd68c42bc2c0378b93891b424d671cfc6a58a8726e40fa9675122ea028
-
SHA512
1e2fdd25ed01b96cfde47d9ada29b1b0d6b65b16d62298b4155e820effc99cb7489660dc5bb26b9cbf46874a7e22f0378a339acb485dcaccd0fd3386976b849b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
SENEGAL12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/844-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/844-5-0x0000000000446D2E-mapping.dmp family_agenttesla behavioral1/memory/844-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/844-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
cotización.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cotización.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cotización.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
cotización.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum cotización.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 cotización.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cotización.exedescription pid process target process PID 1492 set thread context of 844 1492 cotización.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 844 RegSvcs.exe 844 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 844 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 844 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cotización.exedescription pid process target process PID 1492 wrote to memory of 652 1492 cotización.exe schtasks.exe PID 1492 wrote to memory of 652 1492 cotización.exe schtasks.exe PID 1492 wrote to memory of 652 1492 cotización.exe schtasks.exe PID 1492 wrote to memory of 652 1492 cotización.exe schtasks.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe PID 1492 wrote to memory of 844 1492 cotización.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cotización.exe"C:\Users\Admin\AppData\Local\Temp\cotización.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KmsdsyKNaSj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A77.tmp"2⤵
- Creates scheduled task(s)
PID:652 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a4be62b9b3524e459b3e2613272e1de7
SHA1d93c89477bb2fcb4d794f90557b99788efc1c2a5
SHA256f40073cb6f9483f667d5f4ae771f35bdd22c098dc153bcdad232281f1d40a873
SHA5120f1aa7b902287c91fe6d8a0e8657861527ed1d60156e5509cfd8eaef7c63ffe8c88de6adf1343c669ffcd352b291ee5c27e342ffb2bafc21e8fd5e252a460945