Analysis
-
max time kernel
115s -
max time network
121s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 12:12
Static task
static1
Behavioral task
behavioral1
Sample
Image001.exe
Resource
win7
General
-
Target
Image001.exe
-
Size
765KB
-
MD5
cbb4755899817e5408789fc7c3ae5979
-
SHA1
e061fb307227f68bf9241a55ade9fa1976be5782
-
SHA256
9f0c636096918ffd81f45e54f65d8992726cbfbef9a8d087476ab5360590d35d
-
SHA512
2712bc7ff4eb3204d04fbfc033d3a2c1503662a1b73415ab1fefddbf3719337cbbd4d7857ff311a3db0e53ebfb2d7335ed11bc5f8183d260372080761ab43f36
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Image001.exepid process 1612 Image001.exe -
Processes:
resource yara_rule behavioral1/memory/364-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/364-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/364-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/364-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/364-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/364-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Processes:
resource yara_rule behavioral1/memory/364-3-0x0000000000400000-0x00000000004A4000-memory.dmp agent_tesla behavioral1/memory/364-3-0x0000000000400000-0x00000000004A4000-memory.dmp agent_tesla behavioral1/memory/364-4-0x0000000001D80000-0x0000000001DCC000-memory.dmp agent_tesla behavioral1/memory/364-4-0x0000000001D80000-0x0000000001DCC000-memory.dmp agent_tesla behavioral1/memory/364-6-0x00000000002E0000-0x0000000000326000-memory.dmp agent_tesla behavioral1/memory/364-6-0x00000000002E0000-0x0000000000326000-memory.dmp agent_tesla -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Image001.exedescription pid process target process PID 1612 wrote to memory of 364 1612 Image001.exe Image001.exe PID 1612 wrote to memory of 364 1612 Image001.exe Image001.exe PID 1612 wrote to memory of 364 1612 Image001.exe Image001.exe PID 1612 wrote to memory of 364 1612 Image001.exe Image001.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Image001.exedescription pid process target process PID 1612 set thread context of 364 1612 Image001.exe Image001.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Image001.exedescription pid process Token: SeDebugPrivilege 364 Image001.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Image001.exeImage001.exepid process 1612 Image001.exe 364 Image001.exe 364 Image001.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Image001.exe"C:\Users\Admin\AppData\Local\Temp\Image001.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Image001.exe"C:\Users\Admin\AppData\Local\Temp\Image001.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/364-0-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/364-1-0x00000000004A2490-mapping.dmp
-
memory/364-2-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/364-3-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/364-4-0x0000000001D80000-0x0000000001DCC000-memory.dmpFilesize
304KB
-
memory/364-5-0x0000000000552000-0x0000000000553000-memory.dmpFilesize
4KB
-
memory/364-6-0x00000000002E0000-0x0000000000326000-memory.dmpFilesize
280KB