Analysis
-
max time kernel
76s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:38
General
-
Target
Quotations pictures and desisgns.jpg.exe
-
Size
525KB
-
MD5
9b9c7215b4e1d0a7a7f8f8bd9230c08a
-
SHA1
34036cd7ceb8a49bfcd696f289f45b3d4d63e4a1
-
SHA256
3b272d130c1f4efa53d4c300ab9421f1ffa00c2983c5c0e2ce000f278db78269
-
SHA512
c8b873c73dd3947331272836efe26b16f84f0383c5a89ce65428a107994c4c3238aa3559000361f0718a9d15230eaadfa9a14242a3d47faad516dda07275b768
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload 1 IoCs
-
rezer0 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotations pictures and desisgns.jpg.exe"C:\Users\Admin\AppData\Local\Temp\Quotations pictures and desisgns.jpg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nHIkbk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD3B1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD3B1.tmpMD5
761d6fb7897671fa70650f427faadb4c
SHA13003681778362169fa53cad86d90c4efb99c893c
SHA25634949633b2ee8f229b6b293f51c14938d81c982e703de829456bf3a276e045c7
SHA51252203f4214a96a7d5501802eb07a2d6ce7cdd520434ed6922e9120fe0462910758a3d3d128373a513556894cc2dc040ba8e09aa55919d7c0cb2951e351cf61f7
-
memory/644-10-0x0000000000000000-mapping.dmp
-
memory/1532-15-0x0000000000000000-mapping.dmp
-
memory/4768-4-0x0000000007DD0000-0x0000000007DD1000-memory.dmpFilesize
4KB
-
memory/4768-5-0x0000000007AF0000-0x0000000007AF1000-memory.dmpFilesize
4KB
-
memory/4768-6-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/4768-7-0x0000000005290000-0x0000000005293000-memory.dmpFilesize
12KB
-
memory/4768-8-0x0000000009EA0000-0x0000000009EF3000-memory.dmpFilesize
332KB
-
memory/4768-9-0x0000000009FA0000-0x0000000009FA1000-memory.dmpFilesize
4KB
-
memory/4768-0-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/4768-3-0x0000000007630000-0x000000000768E000-memory.dmpFilesize
376KB
-
memory/4768-12-0x000000000A7D0000-0x000000000A81C000-memory.dmpFilesize
304KB
-
memory/4768-13-0x000000000A850000-0x000000000A851000-memory.dmpFilesize
4KB
-
memory/4768-14-0x000000000A8F0000-0x000000000A8F1000-memory.dmpFilesize
4KB
-
memory/4768-1-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB