Analysis
-
max time kernel
59s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:22
Static task
static1
Behavioral task
behavioral1
Sample
New PO JINDAL GROUP JUNE SUPPLIES.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
New PO JINDAL GROUP JUNE SUPPLIES.exe
Resource
win10v20201028
General
-
Target
New PO JINDAL GROUP JUNE SUPPLIES.exe
-
Size
707KB
-
MD5
56691af2924510627ff5ebfebbf34ae6
-
SHA1
2da88ce034e652d40d621a1cc3fe5abc6a5c46d5
-
SHA256
bd0942599a238c4cdc3c2da9351ce62e14e6a212513ddd66b9da598fb35dcbf2
-
SHA512
e52797941bb070cbb091387e236218911a7738a623bf4cd4be97e2c9de12985acc115626dde57711ec5b0610b8d88bb6be9ad75d430f06972a16f89c25afd0f9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ilclaw.com.ph - Port:
587 - Username:
emingles@ilclaw.com.ph - Password:
P@ssw0rd
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1032-6-0x0000000000470000-0x0000000000472000-memory.dmp coreentity -
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/780-11-0x000000000044C46E-mapping.dmp family_agenttesla behavioral1/memory/780-10-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/780-12-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/780-13-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1032-7-0x00000000021A0000-0x00000000021F3000-memory.dmp rezer0 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
New PO JINDAL GROUP JUNE SUPPLIES.exedescription pid process target process PID 1032 set thread context of 780 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe New PO JINDAL GROUP JUNE SUPPLIES.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
New PO JINDAL GROUP JUNE SUPPLIES.exepid process 780 New PO JINDAL GROUP JUNE SUPPLIES.exe 780 New PO JINDAL GROUP JUNE SUPPLIES.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
New PO JINDAL GROUP JUNE SUPPLIES.exeNew PO JINDAL GROUP JUNE SUPPLIES.exedescription pid process Token: SeDebugPrivilege 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe Token: SeDebugPrivilege 780 New PO JINDAL GROUP JUNE SUPPLIES.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
New PO JINDAL GROUP JUNE SUPPLIES.exeNew PO JINDAL GROUP JUNE SUPPLIES.exedescription pid process target process PID 1032 wrote to memory of 1532 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe schtasks.exe PID 1032 wrote to memory of 1532 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe schtasks.exe PID 1032 wrote to memory of 1532 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe schtasks.exe PID 1032 wrote to memory of 1532 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe schtasks.exe PID 1032 wrote to memory of 780 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe New PO JINDAL GROUP JUNE SUPPLIES.exe PID 1032 wrote to memory of 780 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe New PO JINDAL GROUP JUNE SUPPLIES.exe PID 1032 wrote to memory of 780 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe New PO JINDAL GROUP JUNE SUPPLIES.exe PID 1032 wrote to memory of 780 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe New PO JINDAL GROUP JUNE SUPPLIES.exe PID 1032 wrote to memory of 780 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe New PO JINDAL GROUP JUNE SUPPLIES.exe PID 1032 wrote to memory of 780 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe New PO JINDAL GROUP JUNE SUPPLIES.exe PID 1032 wrote to memory of 780 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe New PO JINDAL GROUP JUNE SUPPLIES.exe PID 1032 wrote to memory of 780 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe New PO JINDAL GROUP JUNE SUPPLIES.exe PID 1032 wrote to memory of 780 1032 New PO JINDAL GROUP JUNE SUPPLIES.exe New PO JINDAL GROUP JUNE SUPPLIES.exe PID 780 wrote to memory of 912 780 New PO JINDAL GROUP JUNE SUPPLIES.exe netsh.exe PID 780 wrote to memory of 912 780 New PO JINDAL GROUP JUNE SUPPLIES.exe netsh.exe PID 780 wrote to memory of 912 780 New PO JINDAL GROUP JUNE SUPPLIES.exe netsh.exe PID 780 wrote to memory of 912 780 New PO JINDAL GROUP JUNE SUPPLIES.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New PO JINDAL GROUP JUNE SUPPLIES.exe"C:\Users\Admin\AppData\Local\Temp\New PO JINDAL GROUP JUNE SUPPLIES.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BqyzRQawmJj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\New PO JINDAL GROUP JUNE SUPPLIES.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp81C.tmpMD5
bebc9326796bb5c8773232edfd95436e
SHA18691762437a6784573ae80db8cfa9e7477ca6d8f
SHA25623406cb8bb4bd93e3930312b34307e302196e95ec11243fb9d270746a53dc487
SHA5127ac83c120f812b5e06bc8a9d1afa8422517f2d2a9a81ec0c0a3919ca7e7762d5bda84588d8303fcf6f1bb68e95735a89fcadde3796242b31d619c4d6eb38d5ef
-
memory/780-12-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/780-11-0x000000000044C46E-mapping.dmp
-
memory/780-10-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/780-13-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/780-14-0x0000000074670000-0x0000000074D5E000-memory.dmpFilesize
6.9MB
-
memory/912-17-0x0000000000000000-mapping.dmp
-
memory/1032-3-0x00000000003E0000-0x000000000043E000-memory.dmpFilesize
376KB
-
memory/1032-6-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB
-
memory/1032-7-0x00000000021A0000-0x00000000021F3000-memory.dmpFilesize
332KB
-
memory/1032-1-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1032-0-0x00000000746F0000-0x0000000074DDE000-memory.dmpFilesize
6.9MB
-
memory/1532-8-0x0000000000000000-mapping.dmp