Analysis
-
max time kernel
74s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
catalogue.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
catalogue.exe
Resource
win10v20201028
General
-
Target
catalogue.exe
-
Size
515KB
-
MD5
1c098e2524570249e1aa01afe50f3dde
-
SHA1
f130b0404f94fb4ddfdd918b58734dc73d3e814f
-
SHA256
d43c6aba8577d6f6e846545d25587748ff13e676320936f4c3104ba94e22e24c
-
SHA512
b67b7f19b4dd15179720a82f2f62ce6a709b3adad7299afc86eff1cf8f00ebb660d710c8cf6b8d3bd7ef4653c41a4447e11e60cce817056494dffc9ee055ba91
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
admin@cairoways.me - Password:
requestShow@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/308-5-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral2/memory/308-6-0x000000000044C8CE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
catalogue.exedescription pid process target process PID 592 set thread context of 308 592 catalogue.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 308 RegSvcs.exe 308 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
catalogue.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 592 catalogue.exe Token: SeDebugPrivilege 308 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
catalogue.exeRegSvcs.exepid process 592 catalogue.exe 592 catalogue.exe 308 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
catalogue.exeRegSvcs.exedescription pid process target process PID 592 wrote to memory of 3404 592 catalogue.exe schtasks.exe PID 592 wrote to memory of 3404 592 catalogue.exe schtasks.exe PID 592 wrote to memory of 3404 592 catalogue.exe schtasks.exe PID 592 wrote to memory of 308 592 catalogue.exe RegSvcs.exe PID 592 wrote to memory of 308 592 catalogue.exe RegSvcs.exe PID 592 wrote to memory of 308 592 catalogue.exe RegSvcs.exe PID 592 wrote to memory of 308 592 catalogue.exe RegSvcs.exe PID 592 wrote to memory of 308 592 catalogue.exe RegSvcs.exe PID 592 wrote to memory of 308 592 catalogue.exe RegSvcs.exe PID 592 wrote to memory of 308 592 catalogue.exe RegSvcs.exe PID 592 wrote to memory of 308 592 catalogue.exe RegSvcs.exe PID 308 wrote to memory of 2164 308 RegSvcs.exe netsh.exe PID 308 wrote to memory of 2164 308 RegSvcs.exe netsh.exe PID 308 wrote to memory of 2164 308 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\catalogue.exe"C:\Users\Admin\AppData\Local\Temp\catalogue.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jZUqGdZLb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB28.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBB28.tmpMD5
339cbb32f0100c13367271bcc73d4ddd
SHA17d02788af676c7cfc7fffdc8e0aec5445a999aa6
SHA256e775dc77e760b597ebc283fca92ac69d5422c7953debbe3e314b90b8eabd649f
SHA512f8e1c3cb4cf8aafcf6294acf9c20c618d5ef8a02fcc45a27ee24e3887cfbe7829042c05d446fdab5c304beba0227e74fbcacd27fc981600d3d5f9c89853bc2af
-
memory/308-5-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/308-6-0x000000000044C8CE-mapping.dmp
-
memory/2164-7-0x0000000000000000-mapping.dmp
-
memory/3404-3-0x0000000000000000-mapping.dmp