Analysis
-
max time kernel
92s -
max time network
53s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 09:25
Static task
static1
Behavioral task
behavioral1
Sample
681378c431cd1552b31f712d5e98603f.exe
Resource
win7
Behavioral task
behavioral2
Sample
681378c431cd1552b31f712d5e98603f.exe
Resource
win10v200722
General
-
Target
681378c431cd1552b31f712d5e98603f.exe
-
Size
439KB
-
MD5
681378c431cd1552b31f712d5e98603f
-
SHA1
d9a7241ed11cc4a797a560eb6d15c6e5b5421293
-
SHA256
0dff04cbc66cf66ac737d135dea5f85bc6bcf08d274d14d544949951de56597c
-
SHA512
95ddd8865dbf538f149857eb8f4dc46f6a2e82e743fdcad1b6a90197f5d56aba64332cc4659accf222250a2cd2758d0dccb04caa7c1ef3e94620edb29447db62
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
webmail.dragon-pack.com - Port:
587 - Username:
lyna.hrd@dragon-pack.com - Password:
LYNAHRDt12
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/656-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/656-5-0x0000000000446D2E-mapping.dmp family_agenttesla behavioral1/memory/656-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/656-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
681378c431cd1552b31f712d5e98603f.exedescription pid process target process PID 1324 set thread context of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
681378c431cd1552b31f712d5e98603f.exe681378c431cd1552b31f712d5e98603f.exepid process 1324 681378c431cd1552b31f712d5e98603f.exe 656 681378c431cd1552b31f712d5e98603f.exe 656 681378c431cd1552b31f712d5e98603f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
681378c431cd1552b31f712d5e98603f.exe681378c431cd1552b31f712d5e98603f.exedescription pid process Token: SeDebugPrivilege 1324 681378c431cd1552b31f712d5e98603f.exe Token: SeDebugPrivilege 656 681378c431cd1552b31f712d5e98603f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
681378c431cd1552b31f712d5e98603f.exepid process 656 681378c431cd1552b31f712d5e98603f.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
681378c431cd1552b31f712d5e98603f.exedescription pid process target process PID 1324 wrote to memory of 108 1324 681378c431cd1552b31f712d5e98603f.exe schtasks.exe PID 1324 wrote to memory of 108 1324 681378c431cd1552b31f712d5e98603f.exe schtasks.exe PID 1324 wrote to memory of 108 1324 681378c431cd1552b31f712d5e98603f.exe schtasks.exe PID 1324 wrote to memory of 108 1324 681378c431cd1552b31f712d5e98603f.exe schtasks.exe PID 1324 wrote to memory of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe PID 1324 wrote to memory of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe PID 1324 wrote to memory of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe PID 1324 wrote to memory of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe PID 1324 wrote to memory of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe PID 1324 wrote to memory of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe PID 1324 wrote to memory of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe PID 1324 wrote to memory of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe PID 1324 wrote to memory of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\681378c431cd1552b31f712d5e98603f.exe"C:\Users\Admin\AppData\Local\Temp\681378c431cd1552b31f712d5e98603f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VLcsak" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2D1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\681378c431cd1552b31f712d5e98603f.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC2D1.tmpMD5
6a8c733cf33eded39bcf3fe6b9b1f97a
SHA1d6f9934e73c835b12c1ab946407da6462fb26be1
SHA2568d2fb6c325aa0871692c6ffdbf8bf25b692123278e0ee86012be28d8b5c05ea3
SHA5129289ebfb680bceb5be12a35d31fef5e8a6e891c4ff4860c41dbce0fff2f1a59b633c67059256f9c214123b0bb54e40b0f9845f681e3c1b227c66465d77237f25
-
memory/108-2-0x0000000000000000-mapping.dmp
-
memory/656-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/656-5-0x0000000000446D2E-mapping.dmp
-
memory/656-7-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/656-6-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1324-1-0x0000000000000000-0x0000000000000000-disk.dmp