Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 13:38
Static task
static1
Behavioral task
behavioral1
Sample
TT_Copy-23874-print.............Pdf.exe
Resource
win7
Behavioral task
behavioral2
Sample
TT_Copy-23874-print.............Pdf.exe
Resource
win10v200722
General
-
Target
TT_Copy-23874-print.............Pdf.exe
-
Size
475KB
-
MD5
0443c829e8f15fcbf2dca2b8941265d6
-
SHA1
fea6605a9ad6c1a7e004141d34dcf2eb155d54d7
-
SHA256
885b4be18edba1732c82c251d834e07946e015fe31d55eb6d30f53814027417b
-
SHA512
0e31e1b6f22c42887124d115b0b66b017d4920b3aead93e78d1362623d458b8248d0d7ba411341dd3e2e98b6b92135640d49431b89c93fd0f3d67710ff5af144
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
service@valid247.email - Password:
valid247
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3980-2-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral2/memory/3980-3-0x00000000004492CE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TT_Copy-23874-print.............Pdf.exedescription pid process target process PID 3876 set thread context of 3980 3876 TT_Copy-23874-print.............Pdf.exe TT_Copy-23874-print.............Pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
TT_Copy-23874-print.............Pdf.exeTT_Copy-23874-print.............Pdf.exepid process 3876 TT_Copy-23874-print.............Pdf.exe 3876 TT_Copy-23874-print.............Pdf.exe 3876 TT_Copy-23874-print.............Pdf.exe 3876 TT_Copy-23874-print.............Pdf.exe 3980 TT_Copy-23874-print.............Pdf.exe 3980 TT_Copy-23874-print.............Pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TT_Copy-23874-print.............Pdf.exeTT_Copy-23874-print.............Pdf.exedescription pid process Token: SeDebugPrivilege 3876 TT_Copy-23874-print.............Pdf.exe Token: SeDebugPrivilege 3980 TT_Copy-23874-print.............Pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TT_Copy-23874-print.............Pdf.exepid process 3980 TT_Copy-23874-print.............Pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
TT_Copy-23874-print.............Pdf.exedescription pid process target process PID 3876 wrote to memory of 3996 3876 TT_Copy-23874-print.............Pdf.exe schtasks.exe PID 3876 wrote to memory of 3996 3876 TT_Copy-23874-print.............Pdf.exe schtasks.exe PID 3876 wrote to memory of 3996 3876 TT_Copy-23874-print.............Pdf.exe schtasks.exe PID 3876 wrote to memory of 3980 3876 TT_Copy-23874-print.............Pdf.exe TT_Copy-23874-print.............Pdf.exe PID 3876 wrote to memory of 3980 3876 TT_Copy-23874-print.............Pdf.exe TT_Copy-23874-print.............Pdf.exe PID 3876 wrote to memory of 3980 3876 TT_Copy-23874-print.............Pdf.exe TT_Copy-23874-print.............Pdf.exe PID 3876 wrote to memory of 3980 3876 TT_Copy-23874-print.............Pdf.exe TT_Copy-23874-print.............Pdf.exe PID 3876 wrote to memory of 3980 3876 TT_Copy-23874-print.............Pdf.exe TT_Copy-23874-print.............Pdf.exe PID 3876 wrote to memory of 3980 3876 TT_Copy-23874-print.............Pdf.exe TT_Copy-23874-print.............Pdf.exe PID 3876 wrote to memory of 3980 3876 TT_Copy-23874-print.............Pdf.exe TT_Copy-23874-print.............Pdf.exe PID 3876 wrote to memory of 3980 3876 TT_Copy-23874-print.............Pdf.exe TT_Copy-23874-print.............Pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT_Copy-23874-print.............Pdf.exe"C:\Users\Admin\AppData\Local\Temp\TT_Copy-23874-print.............Pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5DF5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TT_Copy-23874-print.............Pdf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\TT_Copy-23874-print.............Pdf.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
C:\Users\Admin\AppData\Local\Temp\tmp5DF5.tmpMD5
7074f8992fdd4c59e04dca2e8189a912
SHA1472e39ec2dd42203dbecd77949569dc670a399de
SHA2565f2f8985c1d8ccd555451a60d692cfcf1eac7beb61b1e76509ba4f519f4934f8
SHA512079271db63e88baf33358167d245cb0e0128c70731cb44bc554d26c483631adbcdae90ff9fd84eda24fed394e5c2181edbd9e9afce2e9ee9574c41764d37f5b1
-
memory/3980-2-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/3980-3-0x00000000004492CE-mapping.dmp
-
memory/3996-0-0x0000000000000000-mapping.dmp