Analysis
-
max time kernel
127s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:59
Static task
static1
Behavioral task
behavioral1
Sample
Doc.exe
Resource
win7v20201028
General
-
Target
Doc.exe
-
Size
478KB
-
MD5
bf08620d6295f47bdde72569b43677ca
-
SHA1
2afe1a20b5cd9255ac5429aaf7b7df3849f9c578
-
SHA256
88502fda993fde73909371ca6813191b0af2d571632c1ebd5c92bd3a844af1c9
-
SHA512
8b56773ffc23603b18f9c549291a6fa3010f17d33fdad55039eeb81b393cd8d9b8251ccc1e4148e54f879980bc1ef80ee75bcbf99abc7af7c4034827cc6fbb6e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.kalatecnic.com - Port:
587 - Username:
comercial@kalatecnic.com - Password:
Barcelona08397
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1956-7-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1956-8-0x000000000044CDCE-mapping.dmp family_agenttesla behavioral1/memory/1956-9-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1956-10-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1068-4-0x0000000000FB0000-0x0000000001003000-memory.dmp rezer0 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Doc.exedescription pid process target process PID 1068 set thread context of 1956 1068 Doc.exe Doc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Doc.exeDoc.exepid process 1068 Doc.exe 1068 Doc.exe 1068 Doc.exe 1956 Doc.exe 1956 Doc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Doc.exeDoc.exedescription pid process Token: SeDebugPrivilege 1068 Doc.exe Token: SeDebugPrivilege 1956 Doc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Doc.exeDoc.exedescription pid process target process PID 1068 wrote to memory of 1080 1068 Doc.exe schtasks.exe PID 1068 wrote to memory of 1080 1068 Doc.exe schtasks.exe PID 1068 wrote to memory of 1080 1068 Doc.exe schtasks.exe PID 1068 wrote to memory of 1080 1068 Doc.exe schtasks.exe PID 1068 wrote to memory of 368 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 368 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 368 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 368 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 1956 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 1956 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 1956 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 1956 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 1956 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 1956 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 1956 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 1956 1068 Doc.exe Doc.exe PID 1068 wrote to memory of 1956 1068 Doc.exe Doc.exe PID 1956 wrote to memory of 900 1956 Doc.exe netsh.exe PID 1956 wrote to memory of 900 1956 Doc.exe netsh.exe PID 1956 wrote to memory of 900 1956 Doc.exe netsh.exe PID 1956 wrote to memory of 900 1956 Doc.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc.exe"C:\Users\Admin\AppData\Local\Temp\Doc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\chjgYQTVsGlXd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1120.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Doc.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Doc.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1120.tmpMD5
ab9094860354de47b165f444659c8f96
SHA1533f845b99be29efb71c96110d9bbcc09a3a63ce
SHA256deeb0fd0a2420553560dca55a34513e53e74475d00dff2c4d912ef10831f1dda
SHA5121e0d104d910ccac128336e8a2b0c508146017fc25340d9bd6a1b02b13aa5b517869eb3bd7b8ed8737a3bf60a88b3648d37294950c2e56842af604cc8e7f64dba
-
memory/900-14-0x0000000000000000-mapping.dmp
-
memory/1068-0-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB
-
memory/1068-1-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/1068-3-0x00000000002B0000-0x00000000002BF000-memory.dmpFilesize
60KB
-
memory/1068-4-0x0000000000FB0000-0x0000000001003000-memory.dmpFilesize
332KB
-
memory/1080-5-0x0000000000000000-mapping.dmp
-
memory/1956-7-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1956-8-0x000000000044CDCE-mapping.dmp
-
memory/1956-9-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1956-10-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1956-11-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB