Analysis

  • max time kernel
    135s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    10-07-2020 05:29

General

  • Target

    de2a5ebcd53cdfdff69dfbcefc41bacfd210a286b8b4db221fd1f8b01ecfdca5.exe

  • Size

    282KB

  • MD5

    272897d36eb416327967b1fa05c718b2

  • SHA1

    1b5a7143464e4ac945f276f24d8cb6693bd19242

  • SHA256

    de2a5ebcd53cdfdff69dfbcefc41bacfd210a286b8b4db221fd1f8b01ecfdca5

  • SHA512

    fd468defd565ee28a6cc7c235cea1b1ad8bad52b116fb3952aeb0813aea37981bcff025904f36f3ffd21e4686effa4b50964a55ccfc00b61841f416d73dec538

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de2a5ebcd53cdfdff69dfbcefc41bacfd210a286b8b4db221fd1f8b01ecfdca5.exe
    "C:\Users\Admin\AppData\Local\Temp\de2a5ebcd53cdfdff69dfbcefc41bacfd210a286b8b4db221fd1f8b01ecfdca5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2084
  • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2500 /prefetch:2
    1⤵
      PID:2152
    • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
      "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=1468 /prefetch:8
      1⤵
        PID:2232
      • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2628 /prefetch:8
        1⤵
          PID:2244
        • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
          "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2732 /prefetch:8
          1⤵
            PID:2256
          • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3140 /prefetch:8
            1⤵
              PID:2360
            • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
              "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=1428 /prefetch:8
              1⤵
                PID:2436
              • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2664 /prefetch:8
                1⤵
                  PID:2472
                • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                  "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2656 /prefetch:8
                  1⤵
                    PID:2512
                  • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2660 /prefetch:8
                    1⤵
                      PID:2548
                    • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                      "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --disable-gpu-compositing --lang=en-US --extension-process --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1384 /prefetch:1
                      1⤵
                        PID:2584
                      • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                        "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=3224 /prefetch:8
                        1⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2660
                      • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                        "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2760 /prefetch:8
                        1⤵
                          PID:2704
                        • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                          "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2776 /prefetch:8
                          1⤵
                            PID:2740
                          • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3332 /prefetch:8
                            1⤵
                              PID:2780
                            • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                              "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3384 /prefetch:8
                              1⤵
                                PID:2816
                              • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --disable-gpu-compositing --lang=en-US --extension-process --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
                                1⤵
                                  PID:2856
                                • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=3316 /prefetch:8
                                  1⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2968
                                • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=3368 /prefetch:8
                                  1⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3016
                                • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3236 /prefetch:8
                                  1⤵
                                    PID:2128
                                  • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=2896 /prefetch:8
                                    1⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:524
                                  • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2348 /prefetch:8
                                    1⤵
                                      PID:2456
                                    • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=1580 /prefetch:8
                                      1⤵
                                        PID:2544
                                      • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1076,830811788224391128,3207156584127863496,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=1548 /prefetch:8
                                        1⤵
                                          PID:2568

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/2152-0-0x00000000773A0000-0x00000000773A1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2584-10-0x000006E600040000-0x000006E600041000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2584-11-0x0000000009F60000-0x0000000009F71000-memory.dmp

                                          Filesize

                                          68KB

                                        • memory/2856-18-0x000000000A0A0000-0x000000000A0B1000-memory.dmp

                                          Filesize

                                          68KB