Analysis
-
max time kernel
45s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:22
Static task
static1
Behavioral task
behavioral1
Sample
914e8a972323d13655a858dbeef68ecb.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
914e8a972323d13655a858dbeef68ecb.exe
Resource
win10v20201028
General
-
Target
914e8a972323d13655a858dbeef68ecb.exe
-
Size
398KB
-
MD5
914e8a972323d13655a858dbeef68ecb
-
SHA1
e4acf88e66d758a2d1af678f56a1f4845acc2dbc
-
SHA256
94538948c885f55d6120782322773ad9a34d7c9c318938c850ac6d55bdd3ad52
-
SHA512
e810b4850a4053037ce49b00a9b1038696c02e87443b014c21a6c10256cda78c540bc16502ea951239ab7e347fc16421e1fa51e8a8f00945ddcd1390537e81b2
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral2/memory/696-7-0x0000000005C90000-0x0000000005C92000-memory.dmp coreentity -
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/696-9-0x0000000009040000-0x000000000908C000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/696-8-0x0000000008EE0000-0x0000000008F33000-memory.dmp rezer0 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
914e8a972323d13655a858dbeef68ecb.exepid process 696 914e8a972323d13655a858dbeef68ecb.exe 696 914e8a972323d13655a858dbeef68ecb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
914e8a972323d13655a858dbeef68ecb.exedescription pid process Token: SeDebugPrivilege 696 914e8a972323d13655a858dbeef68ecb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
914e8a972323d13655a858dbeef68ecb.exedescription pid process target process PID 696 wrote to memory of 3704 696 914e8a972323d13655a858dbeef68ecb.exe netsh.exe PID 696 wrote to memory of 3704 696 914e8a972323d13655a858dbeef68ecb.exe netsh.exe PID 696 wrote to memory of 3704 696 914e8a972323d13655a858dbeef68ecb.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\914e8a972323d13655a858dbeef68ecb.exe"C:\Users\Admin\AppData\Local\Temp\914e8a972323d13655a858dbeef68ecb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/696-0-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/696-1-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/696-3-0x0000000005CD0000-0x0000000005CD1000-memory.dmpFilesize
4KB
-
memory/696-4-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/696-5-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/696-6-0x0000000008C40000-0x0000000008C41000-memory.dmpFilesize
4KB
-
memory/696-7-0x0000000005C90000-0x0000000005C92000-memory.dmpFilesize
8KB
-
memory/696-8-0x0000000008EE0000-0x0000000008F33000-memory.dmpFilesize
332KB
-
memory/696-9-0x0000000009040000-0x000000000908C000-memory.dmpFilesize
304KB
-
memory/696-10-0x0000000009690000-0x0000000009691000-memory.dmpFilesize
4KB
-
memory/696-11-0x0000000009740000-0x0000000009741000-memory.dmpFilesize
4KB
-
memory/3704-12-0x0000000000000000-mapping.dmp