Analysis
-
max time kernel
124s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:59
Static task
static1
Behavioral task
behavioral1
Sample
catologdesign.exe
Resource
win7v20201028
General
-
Target
catologdesign.exe
-
Size
441KB
-
MD5
ed10b06e6601040d301ed58087927a9f
-
SHA1
015769a2521de39c9a6f9a299ca8156c8395e187
-
SHA256
41ee86a60102a3221d2f8a3a1ba91567087e8f58504dcb764cc5f942af3c6a61
-
SHA512
e4ab8d6916c8f4dcb17a02197b7b60e40e9442132bc2385f7392a8f54c3d99170dd76c0523b0bea39673a2ca2ccc43ad80b9e8d1a52de2281ecc2f8b2fb8969f
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/980-7-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral1/memory/980-8-0x0000000000445A5E-mapping.dmp family_agenttesla behavioral1/memory/980-9-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral1/memory/980-10-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/784-4-0x0000000000770000-0x00000000007BC000-memory.dmp rezer0 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
catologdesign.exedescription pid process target process PID 784 set thread context of 980 784 catologdesign.exe catologdesign.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
catologdesign.exepid process 980 catologdesign.exe 980 catologdesign.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
catologdesign.exedescription pid process Token: SeDebugPrivilege 980 catologdesign.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
catologdesign.exepid process 980 catologdesign.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
catologdesign.exedescription pid process target process PID 784 wrote to memory of 848 784 catologdesign.exe schtasks.exe PID 784 wrote to memory of 848 784 catologdesign.exe schtasks.exe PID 784 wrote to memory of 848 784 catologdesign.exe schtasks.exe PID 784 wrote to memory of 848 784 catologdesign.exe schtasks.exe PID 784 wrote to memory of 980 784 catologdesign.exe catologdesign.exe PID 784 wrote to memory of 980 784 catologdesign.exe catologdesign.exe PID 784 wrote to memory of 980 784 catologdesign.exe catologdesign.exe PID 784 wrote to memory of 980 784 catologdesign.exe catologdesign.exe PID 784 wrote to memory of 980 784 catologdesign.exe catologdesign.exe PID 784 wrote to memory of 980 784 catologdesign.exe catologdesign.exe PID 784 wrote to memory of 980 784 catologdesign.exe catologdesign.exe PID 784 wrote to memory of 980 784 catologdesign.exe catologdesign.exe PID 784 wrote to memory of 980 784 catologdesign.exe catologdesign.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\catologdesign.exe"C:\Users\Admin\AppData\Local\Temp\catologdesign.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CZTjLVzk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21D3.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\catologdesign.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp21D3.tmpMD5
c198daedbe9a302df4b75249477e5fba
SHA19224185a858da07e2952105a27b6ac5ff489d1dc
SHA25622a114f77bedc68824817c3658f8e14b71c86462c39da66f99b77e25e91ab40d
SHA512d6fb7b5badd3cfc17b815fd48c13a1341a2e37fce34d695a50049d5687ccc3c09eebfa591ebf8335781aff400c0cb607d921f62f083e2896f59f9e487f9de123
-
memory/784-0-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/784-1-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB
-
memory/784-3-0x0000000000330000-0x000000000033F000-memory.dmpFilesize
60KB
-
memory/784-4-0x0000000000770000-0x00000000007BC000-memory.dmpFilesize
304KB
-
memory/848-5-0x0000000000000000-mapping.dmp
-
memory/980-7-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/980-8-0x0000000000445A5E-mapping.dmp
-
memory/980-9-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/980-10-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/980-11-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB