Analysis
-
max time kernel
148s -
max time network
41s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
17-07-2020 16:26
Static task
static1
Behavioral task
behavioral1
Sample
po.exe
Resource
win7v200430
General
-
Target
po.exe
-
Size
724KB
-
MD5
15fc8801def3df32435a90a4b3623af9
-
SHA1
f55e8f1e02f8104fce3d3d9745192c6e215999df
-
SHA256
3886eb1b9dccfe19438624f3462b2e1a65b685b82fee327e0291855dce28a2d0
-
SHA512
ae739dd15a33c593a80ec3d34ea3851f8dc2fe9d4476c9b90fc7210af9e8679d44fe1d84b2883b325537d26f908962a398d04f027e1cece28ef24cc8521e7485
Malware Config
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
po.exepo.exedescription pid process target process PID 1304 wrote to memory of 1308 1304 po.exe po.exe PID 1304 wrote to memory of 1308 1304 po.exe po.exe PID 1304 wrote to memory of 1308 1304 po.exe po.exe PID 1304 wrote to memory of 1308 1304 po.exe po.exe PID 1304 wrote to memory of 1400 1304 po.exe po.exe PID 1304 wrote to memory of 1400 1304 po.exe po.exe PID 1304 wrote to memory of 1400 1304 po.exe po.exe PID 1304 wrote to memory of 1400 1304 po.exe po.exe PID 1308 wrote to memory of 1260 1308 po.exe netsh.exe PID 1308 wrote to memory of 1260 1308 po.exe netsh.exe PID 1308 wrote to memory of 1260 1308 po.exe netsh.exe PID 1308 wrote to memory of 1260 1308 po.exe netsh.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
po.exedescription pid process target process PID 1304 set thread context of 1308 1304 po.exe po.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
po.exedescription pid process Token: SeDebugPrivilege 1308 po.exe -
Processes:
resource yara_rule behavioral1/memory/1308-0-0x0000000000400000-0x00000000004B1000-memory.dmp upx behavioral1/memory/1308-3-0x0000000000400000-0x00000000004B1000-memory.dmp upx behavioral1/memory/1308-4-0x0000000000400000-0x00000000004B1000-memory.dmp upx -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
po.exepo.exepo.exepid process 1304 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1400 po.exe 1308 po.exe 1308 po.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
po.exepid process 1304 po.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\po.exe"C:\Users\Admin\AppData\Local\Temp\po.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\po.exe"C:\Users\Admin\AppData\Local\Temp\po.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1308 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Modifies service
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\po.exe"C:\Users\Admin\AppData\Local\Temp\po.exe" 2 1308 1029912⤵
- Suspicious behavior: EnumeratesProcesses
PID:1400