Analysis
-
max time kernel
62s -
max time network
109s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
PO-37566324756834756_XLS.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO-37566324756834756_XLS.exe
Resource
win10v20201028
General
-
Target
PO-37566324756834756_XLS.exe
-
Size
714KB
-
MD5
b56b7bea3cd94a84afa1024aea59ac6d
-
SHA1
4d95aee7d7ad2463e0c5a47687057bd390df6430
-
SHA256
d8525b2302c08306f63aa470ca7e081dbf35669af349cd1224d1485ecff71d43
-
SHA512
c5791e1a79e8ca31a5ddc14d7ed7c071bfcc518d5e2a5bed8c6c1ec5d08962a3d3bf83833024d6de819d90b173eff0ad06ab0b89415990c24e17926c40f4105f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.karcek.com.tr - Port:
587 - Username:
info@karcek.com.tr - Password:
Ahmet.6193
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/744-3-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/744-4-0x000000000044C9FE-mapping.dmp family_agenttesla behavioral1/memory/744-5-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/744-6-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO-37566324756834756_XLS.exedescription pid process target process PID 1320 set thread context of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 744 RegSvcs.exe 744 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO-37566324756834756_XLS.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1320 PO-37566324756834756_XLS.exe Token: SeDebugPrivilege 744 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PO-37566324756834756_XLS.exepid process 1320 PO-37566324756834756_XLS.exe 1320 PO-37566324756834756_XLS.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
PO-37566324756834756_XLS.exeRegSvcs.exedescription pid process target process PID 1320 wrote to memory of 1484 1320 PO-37566324756834756_XLS.exe schtasks.exe PID 1320 wrote to memory of 1484 1320 PO-37566324756834756_XLS.exe schtasks.exe PID 1320 wrote to memory of 1484 1320 PO-37566324756834756_XLS.exe schtasks.exe PID 1320 wrote to memory of 1484 1320 PO-37566324756834756_XLS.exe schtasks.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1320 wrote to memory of 744 1320 PO-37566324756834756_XLS.exe RegSvcs.exe PID 744 wrote to memory of 1668 744 RegSvcs.exe REG.exe PID 744 wrote to memory of 1668 744 RegSvcs.exe REG.exe PID 744 wrote to memory of 1668 744 RegSvcs.exe REG.exe PID 744 wrote to memory of 1668 744 RegSvcs.exe REG.exe PID 744 wrote to memory of 1560 744 RegSvcs.exe netsh.exe PID 744 wrote to memory of 1560 744 RegSvcs.exe netsh.exe PID 744 wrote to memory of 1560 744 RegSvcs.exe netsh.exe PID 744 wrote to memory of 1560 744 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-37566324756834756_XLS.exe"C:\Users\Admin\AppData\Local\Temp\PO-37566324756834756_XLS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BNbKBooAq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC053.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC053.tmpMD5
d6a1380148fbeb50d741e019157ca9d0
SHA11cea55c6adb842ccd4c61dbdbd22afb36aec67c0
SHA25685a10af7eb431f5063be942b01fea466ffb6be88497dae389aff76a10f457be4
SHA512c8c4a6c5e1da4c4b09a63e6677a81f9f3e98b4e977c5ac1d68536a057e6bfc15a53f4b3d1eccdf33f9366f13974634cc7694686cd6253258f978249e6a7a29fe
-
memory/744-3-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/744-4-0x000000000044C9FE-mapping.dmp
-
memory/744-5-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/744-6-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1484-1-0x0000000000000000-mapping.dmp
-
memory/1560-10-0x0000000000000000-mapping.dmp
-
memory/1668-8-0x0000000000000000-mapping.dmp
-
memory/1792-0-0x000007FEF7FE0000-0x000007FEF825A000-memory.dmpFilesize
2.5MB