Analysis
-
max time kernel
136s -
max time network
25s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 06:54
Static task
static1
Behavioral task
behavioral1
Sample
Price Offer.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Price Offer.exe
Resource
win10
General
-
Target
Price Offer.exe
-
Size
376KB
-
MD5
fa5199adb6769a93ec34e3eca02b45e2
-
SHA1
7099f889545a673087f8b22c961dd18f9574b19a
-
SHA256
fdb0545a95f394689eb6f31b5b18e9d32fa9a11e5dd4817d16db6204c63577ae
-
SHA512
6174b245b397dd7d2775ba2decf6b5efa92744bbb588162034273f01f9aff857bdb24774bd0886decb5c90db1a0b76567be85eb7ce0a0d2a9469092abdc97549
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.chenklins.com - Port:
587 - Username:
[email protected] - Password:
VBRSv_r)C~mM
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1844-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1844-5-0x0000000000446DCE-mapping.dmp family_agenttesla behavioral1/memory/1844-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1844-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Price Offer.exedescription pid process target process PID 1432 set thread context of 1844 1432 Price Offer.exe Price Offer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Price Offer.exePrice Offer.exepid process 1432 Price Offer.exe 1844 Price Offer.exe 1844 Price Offer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Price Offer.exePrice Offer.exedescription pid process Token: SeDebugPrivilege 1432 Price Offer.exe Token: SeDebugPrivilege 1844 Price Offer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Price Offer.exepid process 1844 Price Offer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Price Offer.exedescription pid process target process PID 1432 wrote to memory of 1804 1432 Price Offer.exe schtasks.exe PID 1432 wrote to memory of 1804 1432 Price Offer.exe schtasks.exe PID 1432 wrote to memory of 1804 1432 Price Offer.exe schtasks.exe PID 1432 wrote to memory of 1804 1432 Price Offer.exe schtasks.exe PID 1432 wrote to memory of 1844 1432 Price Offer.exe Price Offer.exe PID 1432 wrote to memory of 1844 1432 Price Offer.exe Price Offer.exe PID 1432 wrote to memory of 1844 1432 Price Offer.exe Price Offer.exe PID 1432 wrote to memory of 1844 1432 Price Offer.exe Price Offer.exe PID 1432 wrote to memory of 1844 1432 Price Offer.exe Price Offer.exe PID 1432 wrote to memory of 1844 1432 Price Offer.exe Price Offer.exe PID 1432 wrote to memory of 1844 1432 Price Offer.exe Price Offer.exe PID 1432 wrote to memory of 1844 1432 Price Offer.exe Price Offer.exe PID 1432 wrote to memory of 1844 1432 Price Offer.exe Price Offer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Price Offer.exe"C:\Users\Admin\AppData\Local\Temp\Price Offer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAmnuGfjcEV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp555F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Price Offer.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp555F.tmpMD5
89ac372f6a3d7ba609969be6c6a52eca
SHA195008cb9720c955305f2033fdba280eccb7f4b6a
SHA256a17b6a4a8916322432fd91defa2895a60be64f0e07924e5b4e2467cb96e83047
SHA512f7f86df73371c065ac84244a5040a95c947b338ddc09528d4708b7ab46007dc41e3f29270adce0715460388ed920f8981d27b3e8724077817862a5a24cbf44bc
-
memory/1432-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1804-2-0x0000000000000000-mapping.dmp
-
memory/1844-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1844-5-0x0000000000446DCE-mapping.dmp
-
memory/1844-6-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1844-7-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB