Analysis
-
max time kernel
37s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:29
Static task
static1
Behavioral task
behavioral1
Sample
CETC-Request.exe
Resource
win7v20201028
General
-
Target
CETC-Request.exe
-
Size
704KB
-
MD5
effed7e2c9577b71101867f764e647c4
-
SHA1
136751dc76b63296ca977a044bf71f85ef860d06
-
SHA256
3363075fd1a09ada8858a47b099c702028f26705c5967633ee92f341817db3b3
-
SHA512
6411bc672650af696c15fd4bdf36577c9a9ce4fa1ba0465c9f01ca97965545e22c4a87545162d2dd6ca23ed9264fc4f6e53175da744fe617049701be8d1b7179
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
dmkozlovd@yandex.ru - Password:
Starboy@22
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2004-304-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/2004-305-0x000000000044A6CE-mapping.dmp family_agenttesla behavioral1/memory/2004-306-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/2004-307-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/344-301-0x0000000004720000-0x0000000004772000-memory.dmp rezer0 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
CETC-Request.exedescription pid process target process PID 344 set thread context of 2004 344 CETC-Request.exe CETC-Request.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
CETC-Request.exeCETC-Request.exepid process 344 CETC-Request.exe 344 CETC-Request.exe 344 CETC-Request.exe 2004 CETC-Request.exe 2004 CETC-Request.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CETC-Request.exeCETC-Request.exedescription pid process Token: SeDebugPrivilege 344 CETC-Request.exe Token: SeDebugPrivilege 2004 CETC-Request.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CETC-Request.exepid process 2004 CETC-Request.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
CETC-Request.exedescription pid process target process PID 344 wrote to memory of 1528 344 CETC-Request.exe schtasks.exe PID 344 wrote to memory of 1528 344 CETC-Request.exe schtasks.exe PID 344 wrote to memory of 1528 344 CETC-Request.exe schtasks.exe PID 344 wrote to memory of 1528 344 CETC-Request.exe schtasks.exe PID 344 wrote to memory of 2004 344 CETC-Request.exe CETC-Request.exe PID 344 wrote to memory of 2004 344 CETC-Request.exe CETC-Request.exe PID 344 wrote to memory of 2004 344 CETC-Request.exe CETC-Request.exe PID 344 wrote to memory of 2004 344 CETC-Request.exe CETC-Request.exe PID 344 wrote to memory of 2004 344 CETC-Request.exe CETC-Request.exe PID 344 wrote to memory of 2004 344 CETC-Request.exe CETC-Request.exe PID 344 wrote to memory of 2004 344 CETC-Request.exe CETC-Request.exe PID 344 wrote to memory of 2004 344 CETC-Request.exe CETC-Request.exe PID 344 wrote to memory of 2004 344 CETC-Request.exe CETC-Request.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CETC-Request.exe"C:\Users\Admin\AppData\Local\Temp\CETC-Request.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FpCHLvb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp41E0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\CETC-Request.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp41E0.tmpMD5
c8c673263eefba8a04af5907ca6e0d97
SHA1fa10f2710e494f2b138ae5c5e9147998bcf6551f
SHA256c2c73c003cf4107cf1bdd45702f57e6cf7bc7604df5b19c9ccb3a7275b2ecdf0
SHA5121aaed6f5e17a055c9a1c24db27bfdb89da12865efe74a82b8b1da89328c494d3e12dd8066f45acf6a105f039e50fd795cfe65715f09a39c193679705d2dc60f7
-
memory/344-300-0x00000000004B0000-0x00000000004B3000-memory.dmpFilesize
12KB
-
memory/344-3-0x0000000000960000-0x00000000009B9000-memory.dmpFilesize
356KB
-
memory/344-0-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/344-301-0x0000000004720000-0x0000000004772000-memory.dmpFilesize
328KB
-
memory/344-1-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/344-308-0x0000000000A70000-0x0000000000AA0000-memory.dmpFilesize
192KB
-
memory/1528-302-0x0000000000000000-mapping.dmp
-
memory/2004-304-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2004-305-0x000000000044A6CE-mapping.dmp
-
memory/2004-306-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2004-307-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2004-311-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB