Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 12:51
Static task
static1
Behavioral task
behavioral1
Sample
PO 31072020.exe
Resource
win7
Behavioral task
behavioral2
Sample
PO 31072020.exe
Resource
win10
General
-
Target
PO 31072020.exe
-
Size
507KB
-
MD5
3947aeb57f40c78747241975a6f08fc0
-
SHA1
6baa5eb10e7da8d731a1c111bd6132a5a564edcb
-
SHA256
9c301c48f5db16bfee94ef08013387f2e2a26e29b5533add910f0994a49d37a3
-
SHA512
b5870dc49e03fb207b4d8bd989a19bad946ac4de9383498c0b70ac7f42b84aaba465ff5212b615a5543b5443cc497f4b6bd0246c1b08e0befaff9b332d397a02
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.elyosr.org - Port:
587 - Username:
HR@elyosr.org - Password:
abcd1234
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1356-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1356-6-0x0000000000446CEE-mapping.dmp family_agenttesla behavioral1/memory/1356-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1356-8-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO 31072020.exedescription pid process target process PID 284 set thread context of 1356 284 PO 31072020.exe PO 31072020.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
PO 31072020.exePO 31072020.exepid process 284 PO 31072020.exe 284 PO 31072020.exe 284 PO 31072020.exe 1356 PO 31072020.exe 1356 PO 31072020.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO 31072020.exePO 31072020.exedescription pid process Token: SeDebugPrivilege 284 PO 31072020.exe Token: SeDebugPrivilege 1356 PO 31072020.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PO 31072020.exedescription pid process target process PID 284 wrote to memory of 1072 284 PO 31072020.exe schtasks.exe PID 284 wrote to memory of 1072 284 PO 31072020.exe schtasks.exe PID 284 wrote to memory of 1072 284 PO 31072020.exe schtasks.exe PID 284 wrote to memory of 1072 284 PO 31072020.exe schtasks.exe PID 284 wrote to memory of 1356 284 PO 31072020.exe PO 31072020.exe PID 284 wrote to memory of 1356 284 PO 31072020.exe PO 31072020.exe PID 284 wrote to memory of 1356 284 PO 31072020.exe PO 31072020.exe PID 284 wrote to memory of 1356 284 PO 31072020.exe PO 31072020.exe PID 284 wrote to memory of 1356 284 PO 31072020.exe PO 31072020.exe PID 284 wrote to memory of 1356 284 PO 31072020.exe PO 31072020.exe PID 284 wrote to memory of 1356 284 PO 31072020.exe PO 31072020.exe PID 284 wrote to memory of 1356 284 PO 31072020.exe PO 31072020.exe PID 284 wrote to memory of 1356 284 PO 31072020.exe PO 31072020.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 31072020.exe"C:\Users\Admin\AppData\Local\Temp\PO 31072020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC245.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO 31072020.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC245.tmpMD5
77fb853e8f745f44d1f5fd3577ce772f
SHA17ffc71dfb041c0e963f683674e36301e362b723e
SHA2560e57ac65e9146f47af2721b6824882ff549df9106874faf0e2f417eb555476e4
SHA5126a2963e9df68e0ec62c19d93ca56bd4086f11aca6249e333bddf1254149ad3b09077e0d67e77ed2dffd5ab8cedbbe26e643a2d8c50fba79994d4305b630b091a
-
memory/284-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1072-2-0x0000000000000000-mapping.dmp
-
memory/1356-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1356-6-0x0000000000446CEE-mapping.dmp
-
memory/1356-7-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1356-8-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB