Analysis
-
max time kernel
85s -
max time network
102s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:59
Static task
static1
Behavioral task
behavioral1
Sample
6 x 40ft Containers.exe
Resource
win7v20201028
General
-
Target
6 x 40ft Containers.exe
-
Size
465KB
-
MD5
aed60ac814a62d82531d6bd327570320
-
SHA1
863c5a7b2525ad3a3acd80cd9eb4a582dea5ab8f
-
SHA256
43102baba4383d06d675a03ae51962493a841b6d15389bc82145df70fbbd47b7
-
SHA512
a40a9aac4e5917ee75f962e2291fc96c5d384b253115194c31c06f5766fabd6b486ea76eafd562ba17c1f9ed25ca1f0e41d9fd5e9506d096396fb89c1609d1ae
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sales01@seedwellresources.xyz - Password:
coronavirus2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1004-10-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/1004-11-0x0000000000446E8E-mapping.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/4800-6-0x0000000005940000-0x000000000598D000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6 x 40ft Containers.exedescription pid process target process PID 4800 set thread context of 1004 4800 6 x 40ft Containers.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
6 x 40ft Containers.exeRegSvcs.exepid process 4800 6 x 40ft Containers.exe 4800 6 x 40ft Containers.exe 4800 6 x 40ft Containers.exe 4800 6 x 40ft Containers.exe 1004 RegSvcs.exe 1004 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6 x 40ft Containers.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4800 6 x 40ft Containers.exe Token: SeDebugPrivilege 1004 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1004 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6 x 40ft Containers.exedescription pid process target process PID 4800 wrote to memory of 452 4800 6 x 40ft Containers.exe schtasks.exe PID 4800 wrote to memory of 452 4800 6 x 40ft Containers.exe schtasks.exe PID 4800 wrote to memory of 452 4800 6 x 40ft Containers.exe schtasks.exe PID 4800 wrote to memory of 896 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 896 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 896 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 936 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 936 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 936 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 1004 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 1004 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 1004 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 1004 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 1004 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 1004 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 1004 4800 6 x 40ft Containers.exe RegSvcs.exe PID 4800 wrote to memory of 1004 4800 6 x 40ft Containers.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6 x 40ft Containers.exe"C:\Users\Admin\AppData\Local\Temp\6 x 40ft Containers.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vaYOZqrR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF28.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEF28.tmpMD5
74955a321154f94e8090720eb1655485
SHA1dc836b0b6725801f26f66b1f512489f2ce6bedb8
SHA256e26e24e266040ece1d54a3801c64ae16b820eafc629f39d506a181a4a9155771
SHA512813fbcaa83d16dda9432fce42530398b255ce891fa5c912f65f6e98918d8628ddfc3b30fd99e9617a67b23dc52a83f12d78f4f420b8c96e3a4801fd12376c50f
-
memory/452-8-0x0000000000000000-mapping.dmp
-
memory/1004-20-0x00000000062F0000-0x00000000062F1000-memory.dmpFilesize
4KB
-
memory/1004-18-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB
-
memory/1004-17-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/1004-12-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/1004-11-0x0000000000446E8E-mapping.dmp
-
memory/1004-10-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4800-4-0x00000000012E0000-0x00000000012EF000-memory.dmpFilesize
60KB
-
memory/4800-7-0x0000000005E90000-0x0000000005E91000-memory.dmpFilesize
4KB
-
memory/4800-6-0x0000000005940000-0x000000000598D000-memory.dmpFilesize
308KB
-
memory/4800-5-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/4800-0-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/4800-3-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/4800-1-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB