Analysis
-
max time kernel
63s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
PO-37566324756834756_XLS.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO-37566324756834756_XLS.exe
Resource
win10v20201028
General
-
Target
PO-37566324756834756_XLS.exe
-
Size
714KB
-
MD5
b56b7bea3cd94a84afa1024aea59ac6d
-
SHA1
4d95aee7d7ad2463e0c5a47687057bd390df6430
-
SHA256
d8525b2302c08306f63aa470ca7e081dbf35669af349cd1224d1485ecff71d43
-
SHA512
c5791e1a79e8ca31a5ddc14d7ed7c071bfcc518d5e2a5bed8c6c1ec5d08962a3d3bf83833024d6de819d90b173eff0ad06ab0b89415990c24e17926c40f4105f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.karcek.com.tr - Port:
587 - Username:
info@karcek.com.tr - Password:
Ahmet.6193
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1888-6-0x000000000044C9FE-mapping.dmp family_agenttesla behavioral2/memory/1888-5-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO-37566324756834756_XLS.exedescription pid process target process PID 1028 set thread context of 1888 1028 PO-37566324756834756_XLS.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1888 RegSvcs.exe 1888 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO-37566324756834756_XLS.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1028 PO-37566324756834756_XLS.exe Token: SeDebugPrivilege 1888 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PO-37566324756834756_XLS.exepid process 1028 PO-37566324756834756_XLS.exe 1028 PO-37566324756834756_XLS.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PO-37566324756834756_XLS.exeRegSvcs.exedescription pid process target process PID 1028 wrote to memory of 1504 1028 PO-37566324756834756_XLS.exe schtasks.exe PID 1028 wrote to memory of 1504 1028 PO-37566324756834756_XLS.exe schtasks.exe PID 1028 wrote to memory of 1504 1028 PO-37566324756834756_XLS.exe schtasks.exe PID 1028 wrote to memory of 1888 1028 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1028 wrote to memory of 1888 1028 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1028 wrote to memory of 1888 1028 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1028 wrote to memory of 1888 1028 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1028 wrote to memory of 1888 1028 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1028 wrote to memory of 1888 1028 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1028 wrote to memory of 1888 1028 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1028 wrote to memory of 1888 1028 PO-37566324756834756_XLS.exe RegSvcs.exe PID 1888 wrote to memory of 1344 1888 RegSvcs.exe REG.exe PID 1888 wrote to memory of 1344 1888 RegSvcs.exe REG.exe PID 1888 wrote to memory of 1344 1888 RegSvcs.exe REG.exe PID 1888 wrote to memory of 3728 1888 RegSvcs.exe netsh.exe PID 1888 wrote to memory of 3728 1888 RegSvcs.exe netsh.exe PID 1888 wrote to memory of 3728 1888 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-37566324756834756_XLS.exe"C:\Users\Admin\AppData\Local\Temp\PO-37566324756834756_XLS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BNbKBooAq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F3C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5F3C.tmpMD5
cf2031c7f730acafd5b6cb1365bc80cf
SHA161c4dca27705be036965461c546be53e025597d4
SHA25681795bd5dbde80bfac65a1bf76148b3d9be9aa693c5393714337d399af199460
SHA512bc7a6939ca86d5a7d98dc65e0988d5f80bfd64c1f08f42cc15ce35099ed2dc73d0fc7ed1e395987a1b139fc2dde72e18941c8d8ef5e7d7ea7f9768d75cbba9df
-
memory/1344-7-0x0000000000000000-mapping.dmp
-
memory/1504-3-0x0000000000000000-mapping.dmp
-
memory/1888-6-0x000000000044C9FE-mapping.dmp
-
memory/1888-5-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3728-8-0x0000000000000000-mapping.dmp