Analysis
-
max time kernel
92s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-07-2020 07:16
Static task
static1
Behavioral task
behavioral1
Sample
Emergency Situation Surcharge Update.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Emergency Situation Surcharge Update.exe
Resource
win10
General
-
Target
Emergency Situation Surcharge Update.exe
-
Size
451KB
-
MD5
4d7528ff3e3e634db83bdc55c56ac62a
-
SHA1
b63bd466732bdf5b9e43a20a7442b7547a4444bf
-
SHA256
3f258d6b65fd6594bc19ac4f3825112f78043a3c112f7bf56dd40bec84750a1e
-
SHA512
2297087cb141f830f7f45d5e8f0d6f363396096d655d12984a93d5b1068622e326bc9379b4e6c40f589e39a8b46a2b082ffc3126e8806edc406708d6c7d41ad4
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
General101
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1688-4-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1688-5-0x000000000044C44E-mapping.dmp family_agenttesla behavioral1/memory/1688-6-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1688-7-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Emergency Situation Surcharge Update.exedescription pid process target process PID 1388 set thread context of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Emergency Situation Surcharge Update.exeRegSvcs.exepid process 1388 Emergency Situation Surcharge Update.exe 1688 RegSvcs.exe 1688 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Emergency Situation Surcharge Update.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1388 Emergency Situation Surcharge Update.exe Token: SeDebugPrivilege 1688 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Emergency Situation Surcharge Update.exeRegSvcs.exedescription pid process target process PID 1388 wrote to memory of 1044 1388 Emergency Situation Surcharge Update.exe schtasks.exe PID 1388 wrote to memory of 1044 1388 Emergency Situation Surcharge Update.exe schtasks.exe PID 1388 wrote to memory of 1044 1388 Emergency Situation Surcharge Update.exe schtasks.exe PID 1388 wrote to memory of 1044 1388 Emergency Situation Surcharge Update.exe schtasks.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1388 wrote to memory of 1688 1388 Emergency Situation Surcharge Update.exe RegSvcs.exe PID 1688 wrote to memory of 524 1688 RegSvcs.exe netsh.exe PID 1688 wrote to memory of 524 1688 RegSvcs.exe netsh.exe PID 1688 wrote to memory of 524 1688 RegSvcs.exe netsh.exe PID 1688 wrote to memory of 524 1688 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Emergency Situation Surcharge Update.exe"C:\Users\Admin\AppData\Local\Temp\Emergency Situation Surcharge Update.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dbYVwF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE59D.tmp"2⤵
- Creates scheduled task(s)
PID:1044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0a45608d49216f528dffdf663242b0ac
SHA1d814f71ef5beebe4c17887d6541db476a7de5c52
SHA25617349c2a5487ed468e41403a06a32eec0f8c895898a8c53c2f7a24875e254c74
SHA51289b656394d1869d119e06e56a1a1b795948ad5c8b0e85c4cb7c1d5219d5853b297693ac082cba1e0ba22baefd5dee1a1ea9a1b6a64f603848fa3d4173680c00c