Analysis
-
max time kernel
15s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:38
Static task
static1
Behavioral task
behavioral1
Sample
PO2056.scr.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO2056.scr.exe
Resource
win10v20201028
General
-
Target
PO2056.scr.exe
-
Size
493KB
-
MD5
03372cc1dcb3916e8f10c5cee22a7a83
-
SHA1
3d469b28ab0c92e71c75e513eebeb0fcfe279542
-
SHA256
b1d81765575179f6a75ca6b10d710624cfb016668d79be17921f0babbe466bfb
-
SHA512
aba7c2121d868c79ca5bd8d41af5c489d63295efebd86362805cddc1718c87deba47cc8b2a829992ade90916d6c83eaf10bd7f4aeb2a04b0899b57cba715e5cc
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1824-4-0x0000000000500000-0x0000000000503000-memory.dmp coreentity -
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1824-6-0x0000000000E60000-0x0000000000EAA000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1824-5-0x0000000000B40000-0x0000000000B91000-memory.dmp rezer0 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO2056.scr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\EGGetsjC = "C:\\Users\\Admin\\AppData\\Roaming\\gwlzyMB\\lDDgR.exe" PO2056.scr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PO2056.scr.exepid process 1824 PO2056.scr.exe 1824 PO2056.scr.exe 1824 PO2056.scr.exe 1824 PO2056.scr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO2056.scr.exedescription pid process Token: SeDebugPrivilege 1824 PO2056.scr.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1824-0-0x0000000074570000-0x0000000074C5E000-memory.dmpFilesize
6.9MB
-
memory/1824-1-0x0000000001120000-0x0000000001121000-memory.dmpFilesize
4KB
-
memory/1824-3-0x00000000004A0000-0x00000000004FA000-memory.dmpFilesize
360KB
-
memory/1824-4-0x0000000000500000-0x0000000000503000-memory.dmpFilesize
12KB
-
memory/1824-5-0x0000000000B40000-0x0000000000B91000-memory.dmpFilesize
324KB
-
memory/1824-6-0x0000000000E60000-0x0000000000EAA000-memory.dmpFilesize
296KB