Analysis
-
max time kernel
151s -
max time network
43s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 16:09
Static task
static1
Behavioral task
behavioral1
Sample
Encomenda a Fornecedor nº 2177.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
Encomenda a Fornecedor nº 2177.exe
Resource
win10
General
-
Target
Encomenda a Fornecedor nº 2177.exe
-
Size
637KB
-
MD5
05fbb43cc400bde8bbe2906e2d80d3a1
-
SHA1
3c9c83a029cec65cb1a45f60aca45ca2eec9215f
-
SHA256
f67337d939b7a8d33762e080856099d05b5ff3404bc285f4dd249281289f57c8
-
SHA512
7e2f6a4acac158f81ce35993b374e2e919872399bf32ce0850ecc042eb85c6c8651f0ed2f863771a2d139f499bb35ad7d26fe61f70270f753481b405e6c94eb5
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gruppoei.tk - Port:
587 - Username:
helpwith@gruppoei.tk - Password:
fC%ROLz}R,(*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1068-14-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1068-15-0x0000000000446E4E-mapping.dmp family_agenttesla behavioral1/memory/1068-17-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1068-18-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
jas.exeAddInProcess32.exepid process 528 jas.exe 1068 AddInProcess32.exe -
Drops startup file 2 IoCs
Processes:
Encomenda a Fornecedor nº 2177.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe Encomenda a Fornecedor nº 2177.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe Encomenda a Fornecedor nº 2177.exe -
Loads dropped DLL 2 IoCs
Processes:
Encomenda a Fornecedor nº 2177.exejas.exepid process 1588 Encomenda a Fornecedor nº 2177.exe 528 jas.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\jas = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jas.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jas.exedescription pid process target process PID 528 set thread context of 1068 528 jas.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Encomenda a Fornecedor nº 2177.exejas.exeAddInProcess32.exepid process 1588 Encomenda a Fornecedor nº 2177.exe 1588 Encomenda a Fornecedor nº 2177.exe 1588 Encomenda a Fornecedor nº 2177.exe 528 jas.exe 528 jas.exe 528 jas.exe 1068 AddInProcess32.exe 1068 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Encomenda a Fornecedor nº 2177.exejas.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1588 Encomenda a Fornecedor nº 2177.exe Token: SeDebugPrivilege 528 jas.exe Token: SeDebugPrivilege 1068 AddInProcess32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AddInProcess32.exepid process 1068 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Encomenda a Fornecedor nº 2177.execmd.exejas.exedescription pid process target process PID 1588 wrote to memory of 1044 1588 Encomenda a Fornecedor nº 2177.exe cmd.exe PID 1588 wrote to memory of 1044 1588 Encomenda a Fornecedor nº 2177.exe cmd.exe PID 1588 wrote to memory of 1044 1588 Encomenda a Fornecedor nº 2177.exe cmd.exe PID 1588 wrote to memory of 1044 1588 Encomenda a Fornecedor nº 2177.exe cmd.exe PID 1044 wrote to memory of 1504 1044 cmd.exe reg.exe PID 1044 wrote to memory of 1504 1044 cmd.exe reg.exe PID 1044 wrote to memory of 1504 1044 cmd.exe reg.exe PID 1044 wrote to memory of 1504 1044 cmd.exe reg.exe PID 1588 wrote to memory of 528 1588 Encomenda a Fornecedor nº 2177.exe jas.exe PID 1588 wrote to memory of 528 1588 Encomenda a Fornecedor nº 2177.exe jas.exe PID 1588 wrote to memory of 528 1588 Encomenda a Fornecedor nº 2177.exe jas.exe PID 1588 wrote to memory of 528 1588 Encomenda a Fornecedor nº 2177.exe jas.exe PID 528 wrote to memory of 1068 528 jas.exe AddInProcess32.exe PID 528 wrote to memory of 1068 528 jas.exe AddInProcess32.exe PID 528 wrote to memory of 1068 528 jas.exe AddInProcess32.exe PID 528 wrote to memory of 1068 528 jas.exe AddInProcess32.exe PID 528 wrote to memory of 1068 528 jas.exe AddInProcess32.exe PID 528 wrote to memory of 1068 528 jas.exe AddInProcess32.exe PID 528 wrote to memory of 1068 528 jas.exe AddInProcess32.exe PID 528 wrote to memory of 1068 528 jas.exe AddInProcess32.exe PID 528 wrote to memory of 1068 528 jas.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Encomenda a Fornecedor nº 2177.exe"C:\Users\Admin\AppData\Local\Temp\Encomenda a Fornecedor nº 2177.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jas /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeMD5
05fbb43cc400bde8bbe2906e2d80d3a1
SHA13c9c83a029cec65cb1a45f60aca45ca2eec9215f
SHA256f67337d939b7a8d33762e080856099d05b5ff3404bc285f4dd249281289f57c8
SHA5127e2f6a4acac158f81ce35993b374e2e919872399bf32ce0850ecc042eb85c6c8651f0ed2f863771a2d139f499bb35ad7d26fe61f70270f753481b405e6c94eb5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeMD5
05fbb43cc400bde8bbe2906e2d80d3a1
SHA13c9c83a029cec65cb1a45f60aca45ca2eec9215f
SHA256f67337d939b7a8d33762e080856099d05b5ff3404bc285f4dd249281289f57c8
SHA5127e2f6a4acac158f81ce35993b374e2e919872399bf32ce0850ecc042eb85c6c8651f0ed2f863771a2d139f499bb35ad7d26fe61f70270f753481b405e6c94eb5
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jas.exeMD5
05fbb43cc400bde8bbe2906e2d80d3a1
SHA13c9c83a029cec65cb1a45f60aca45ca2eec9215f
SHA256f67337d939b7a8d33762e080856099d05b5ff3404bc285f4dd249281289f57c8
SHA5127e2f6a4acac158f81ce35993b374e2e919872399bf32ce0850ecc042eb85c6c8651f0ed2f863771a2d139f499bb35ad7d26fe61f70270f753481b405e6c94eb5
-
memory/528-6-0x0000000000000000-mapping.dmp
-
memory/1044-3-0x0000000000000000-mapping.dmp
-
memory/1068-14-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1068-15-0x0000000000446E4E-mapping.dmp
-
memory/1068-17-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1068-18-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1504-4-0x0000000000000000-mapping.dmp
-
memory/1588-1-0x0000000000000000-0x0000000000000000-disk.dmp