Analysis
-
max time kernel
129s -
max time network
43s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 06:33
Static task
static1
Behavioral task
behavioral1
Sample
6493e77b005827994d24d53f156ebb70.exe
Resource
win7
Behavioral task
behavioral2
Sample
6493e77b005827994d24d53f156ebb70.exe
Resource
win10v200430
General
-
Target
6493e77b005827994d24d53f156ebb70.exe
-
Size
1.2MB
-
MD5
6493e77b005827994d24d53f156ebb70
-
SHA1
8a7bdee0fd0146727a6188d455ac915f803601df
-
SHA256
2a24ef9460476dc67c3e4f5fc17ddcf582e556def4278f8760d27f5b6e0735ca
-
SHA512
0ae54906c14d12d245d6fc167147dbbe0b518d8f7229b218d4b119244392e0ced7d91d96cedbfc6be3e0a3831d93fc348619915360305b14054890e05240a3a6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtpout.secureserver.net - Port:
587 - Username:
[email protected] - Password:
Front@line1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3900-7-0x0000000000520000-0x00000000009CA000-memory.dmp family_agenttesla behavioral2/memory/3900-8-0x000000000056702E-mapping.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
edsoqm.pifRegSvcs.exepid process 4064 edsoqm.pif 3900 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
edsoqm.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run edsoqm.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\11595538\\edsoqm.pif C:\\Users\\Admin\\11595538\\rsagv.qww" edsoqm.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
edsoqm.pifdescription pid process target process PID 4064 set thread context of 3900 4064 edsoqm.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegSvcs.exepid process 3900 RegSvcs.exe 3900 RegSvcs.exe 3900 RegSvcs.exe 3900 RegSvcs.exe 3900 RegSvcs.exe 3900 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3900 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3900 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6493e77b005827994d24d53f156ebb70.exeedsoqm.pifdescription pid process target process PID 1508 wrote to memory of 4064 1508 6493e77b005827994d24d53f156ebb70.exe edsoqm.pif PID 1508 wrote to memory of 4064 1508 6493e77b005827994d24d53f156ebb70.exe edsoqm.pif PID 1508 wrote to memory of 4064 1508 6493e77b005827994d24d53f156ebb70.exe edsoqm.pif PID 4064 wrote to memory of 3900 4064 edsoqm.pif RegSvcs.exe PID 4064 wrote to memory of 3900 4064 edsoqm.pif RegSvcs.exe PID 4064 wrote to memory of 3900 4064 edsoqm.pif RegSvcs.exe PID 4064 wrote to memory of 3900 4064 edsoqm.pif RegSvcs.exe PID 4064 wrote to memory of 3900 4064 edsoqm.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6493e77b005827994d24d53f156ebb70.exe"C:\Users\Admin\AppData\Local\Temp\6493e77b005827994d24d53f156ebb70.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\11595538\edsoqm.pif"C:\Users\Admin\11595538\edsoqm.pif" rsagv.qww2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\11595538\edsoqm.pifMD5
6c791836a7f45952c1183d31e07bd966
SHA124f3d4a239e338ddb6f48e6eb706d3f19a280248
SHA256c70c58c4b0b01a5985e3b7820977acef3a6d78e653709dab84d47c06b5f1d43d
SHA51260e796d6df906bb73347b7e78cdf09bee591465e079026fcd8d9835c71d91de6a91801c4d4b63c2cd5fe3ca790120ca08260bacace0214418bca3fcde54a7f3d
-
C:\Users\Admin\11595538\edsoqm.pifMD5
6c791836a7f45952c1183d31e07bd966
SHA124f3d4a239e338ddb6f48e6eb706d3f19a280248
SHA256c70c58c4b0b01a5985e3b7820977acef3a6d78e653709dab84d47c06b5f1d43d
SHA51260e796d6df906bb73347b7e78cdf09bee591465e079026fcd8d9835c71d91de6a91801c4d4b63c2cd5fe3ca790120ca08260bacace0214418bca3fcde54a7f3d
-
C:\Users\Admin\11595538\rsagv.qwwMD5
069e6cddc473c3a8f0bf745fc574dcae
SHA1b92bfe871a15063bafdfbd3b637705d5c94431bd
SHA256308ff51264e710abd553b398605a7079d9fbfdde82109f3020651c2f7f4680f8
SHA512b76bd95afd28f188ec7f58ee339454f50996e3f0d6c002dc605e820b6910a6fe7bb91c2056cd383227bc08d35d0449f4a23dbfe6a7e993052ad239cdaa74ba9e
-
C:\Users\Admin\11595538\seno.pptMD5
bd2b11ae54eadab7b14a398339b5bca4
SHA161306d45dfd571724d773da8fcb989ee5a8a9e17
SHA256bdceed33128233cfc5e7e4be089ec81e5150a0ff3e0d7162a36b3855a243e3ec
SHA512a2a9c919b7c475f635b6d9b75c9d07b5237f5a124244c7c448643f1fe3c1fc2e19e97a2367017048545504c205ad0883e87eb9a5e3e9e4e01bdd0cd73c529def
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/3900-7-0x0000000000520000-0x00000000009CA000-memory.dmpFilesize
4.7MB
-
memory/3900-8-0x000000000056702E-mapping.dmp
-
memory/4064-2-0x0000000000000000-mapping.dmp