Analysis
-
max time kernel
147s -
max time network
28s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-07-2020 10:05
Static task
static1
Behavioral task
behavioral1
Sample
AWB 673687387678.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
AWB 673687387678.exe
Resource
win10
General
-
Target
AWB 673687387678.exe
-
Size
885KB
-
MD5
4cf96d85b7e905687ee0533d2792158c
-
SHA1
6d1d02605ddfc879e7a5bbf1048ef1f3cef321ab
-
SHA256
7b0682f987e2856b5ccdb1c31fc5ac81df44c270940d71b3c403a9f361191afb
-
SHA512
a2f9a95a332361c95ed0a1440ec8e01a6961176f60b96525192a76d80d79f10cd394809957e406056d6949866c3fa8fd70fc173b53c0ff1af3ecd3362f68ac6b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.papayatreehotels.com - Port:
587 - Username:
[email protected] - Password:
tree1579
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1740-5-0x0000000000446A9E-mapping.dmp family_agenttesla behavioral1/memory/1740-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1740-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AWB 673687387678.exedescription pid process target process PID 1292 set thread context of 1740 1292 AWB 673687387678.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
AWB 673687387678.exeRegSvcs.exepid process 1292 AWB 673687387678.exe 1740 RegSvcs.exe 1740 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AWB 673687387678.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1292 AWB 673687387678.exe Token: SeDebugPrivilege 1740 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1740 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
AWB 673687387678.exedescription pid process target process PID 1292 wrote to memory of 1364 1292 AWB 673687387678.exe schtasks.exe PID 1292 wrote to memory of 1364 1292 AWB 673687387678.exe schtasks.exe PID 1292 wrote to memory of 1364 1292 AWB 673687387678.exe schtasks.exe PID 1292 wrote to memory of 1364 1292 AWB 673687387678.exe schtasks.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe PID 1292 wrote to memory of 1740 1292 AWB 673687387678.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB 673687387678.exe"C:\Users\Admin\AppData\Local\Temp\AWB 673687387678.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PIhwklq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B05.tmp"2⤵
- Creates scheduled task(s)
PID:1364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c36b092836c0f93cb304ad6389ee749c
SHA1df53385953daf933dbcf70b30f3e9c1219570219
SHA256b30f99aa68649f2a660ac3bf5fdad1c28ff7699f8c8c0c07905a209e141d3c5d
SHA512d949d79a2bfed91126d582da636d7921092f04084dff2c412ca0f671403599b94035a6b7f2f3e88068d415742d8146859b2ca36d5c358de789081775be9fc64a