Analysis
-
max time kernel
60s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
catalogue.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
catalogue.exe
Resource
win10v20201028
General
-
Target
catalogue.exe
-
Size
515KB
-
MD5
1c098e2524570249e1aa01afe50f3dde
-
SHA1
f130b0404f94fb4ddfdd918b58734dc73d3e814f
-
SHA256
d43c6aba8577d6f6e846545d25587748ff13e676320936f4c3104ba94e22e24c
-
SHA512
b67b7f19b4dd15179720a82f2f62ce6a709b3adad7299afc86eff1cf8f00ebb660d710c8cf6b8d3bd7ef4653c41a4447e11e60cce817056494dffc9ee055ba91
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
admin@cairoways.me - Password:
requestShow@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/804-58-0x000000000044C8CE-mapping.dmp family_agenttesla behavioral1/memory/804-57-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/804-59-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/804-60-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
catalogue.exedescription pid process target process PID 1924 set thread context of 804 1924 catalogue.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 804 RegSvcs.exe 804 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
catalogue.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1924 catalogue.exe Token: SeDebugPrivilege 804 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
catalogue.exeRegSvcs.exepid process 1924 catalogue.exe 1924 catalogue.exe 804 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
catalogue.exeRegSvcs.exedescription pid process target process PID 1924 wrote to memory of 1956 1924 catalogue.exe schtasks.exe PID 1924 wrote to memory of 1956 1924 catalogue.exe schtasks.exe PID 1924 wrote to memory of 1956 1924 catalogue.exe schtasks.exe PID 1924 wrote to memory of 1956 1924 catalogue.exe schtasks.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 1924 wrote to memory of 804 1924 catalogue.exe RegSvcs.exe PID 804 wrote to memory of 1096 804 RegSvcs.exe netsh.exe PID 804 wrote to memory of 1096 804 RegSvcs.exe netsh.exe PID 804 wrote to memory of 1096 804 RegSvcs.exe netsh.exe PID 804 wrote to memory of 1096 804 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\catalogue.exe"C:\Users\Admin\AppData\Local\Temp\catalogue.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jZUqGdZLb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A54.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1A54.tmpMD5
c9c84f201aad3f7a6622300814a70cfe
SHA17eb2133169ad5204f6e6299f84d1730b9a5849b3
SHA2564b9404cf707a09c98a8e7bcee88841a6359b7732a0b36cf2adc657dfdff78cef
SHA5120d6d2cafe9178f806062269848a957da52a6029e879334b388ac80a763c3736cbbb562246b43c7f49bcfa0001d6c8bae968b572f5699045fbd34e045c6fc8255
-
memory/744-54-0x000007FEF6270000-0x000007FEF64EA000-memory.dmpFilesize
2.5MB
-
memory/804-58-0x000000000044C8CE-mapping.dmp
-
memory/804-57-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/804-59-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/804-60-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1096-61-0x0000000000000000-mapping.dmp
-
memory/1956-55-0x0000000000000000-mapping.dmp