Analysis
-
max time kernel
77s -
max time network
108s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
H8pkkXDMNSesvys.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
H8pkkXDMNSesvys.exe
Resource
win10v20201028
General
-
Target
H8pkkXDMNSesvys.exe
-
Size
524KB
-
MD5
876593a2d1bede193fcc3ef81b5eef4e
-
SHA1
5ad79510851f743bb4be257e36a6a0729c5679d3
-
SHA256
e909cbf5a12f8309b93746f877cb4cdf0b8a41d07c4b2badbf917748679213d2
-
SHA512
1290c80cbd1b81bd3cb845160ee0e513cf186355a5fa4bd91dc02b4ca2cf8a5b06ff31d7db1ca7f9add5062ee92bf52a77f9a56be01f872b10e9b49d3f64af98
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
uz@cairoways.me - Password:
09012345@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1664-5-0x0000000000300000-0x0000000000303000-memory.dmp coreentity -
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1556-10-0x000000000044C63E-mapping.dmp family_agenttesla behavioral1/memory/1556-9-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1556-11-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1556-12-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1664-6-0x00000000011A0000-0x00000000011F3000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
H8pkkXDMNSesvys.exedescription pid process target process PID 1664 set thread context of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1556 RegSvcs.exe 1556 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
H8pkkXDMNSesvys.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1664 H8pkkXDMNSesvys.exe Token: SeDebugPrivilege 1556 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
H8pkkXDMNSesvys.exeRegSvcs.exepid process 1664 H8pkkXDMNSesvys.exe 1664 H8pkkXDMNSesvys.exe 1556 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
H8pkkXDMNSesvys.exeRegSvcs.exedescription pid process target process PID 1664 wrote to memory of 1728 1664 H8pkkXDMNSesvys.exe schtasks.exe PID 1664 wrote to memory of 1728 1664 H8pkkXDMNSesvys.exe schtasks.exe PID 1664 wrote to memory of 1728 1664 H8pkkXDMNSesvys.exe schtasks.exe PID 1664 wrote to memory of 1728 1664 H8pkkXDMNSesvys.exe schtasks.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1664 wrote to memory of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1556 wrote to memory of 1168 1556 RegSvcs.exe netsh.exe PID 1556 wrote to memory of 1168 1556 RegSvcs.exe netsh.exe PID 1556 wrote to memory of 1168 1556 RegSvcs.exe netsh.exe PID 1556 wrote to memory of 1168 1556 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\H8pkkXDMNSesvys.exe"C:\Users\Admin\AppData\Local\Temp\H8pkkXDMNSesvys.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WQObBcOAIj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E63.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7E63.tmpMD5
862e59439ef39b32fc2bce72b9d9b88a
SHA1999e493e1412e706180c608817d6f4ba97ae1941
SHA2560f2fd15e2cda356a86674603afe7b442895997704fd76dd48261c8898b9d393a
SHA5120956641b2ae58fbc4a6d522cfdecd033f5025d33b49fdb1346a6b1be97e536b093c31a0a5d3afd9d4b4d9581daadf5a8db5f89a63916432f75945a3856ca56c9
-
memory/868-4-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmpFilesize
2.5MB
-
memory/1168-16-0x0000000000000000-mapping.dmp
-
memory/1556-9-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1556-10-0x000000000044C63E-mapping.dmp
-
memory/1556-11-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1556-12-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1556-13-0x0000000074000000-0x00000000746EE000-memory.dmpFilesize
6.9MB
-
memory/1664-5-0x0000000000300000-0x0000000000303000-memory.dmpFilesize
12KB
-
memory/1664-6-0x00000000011A0000-0x00000000011F3000-memory.dmpFilesize
332KB
-
memory/1664-3-0x0000000000480000-0x00000000004D8000-memory.dmpFilesize
352KB
-
memory/1664-0-0x0000000074000000-0x00000000746EE000-memory.dmpFilesize
6.9MB
-
memory/1664-1-0x0000000001200000-0x0000000001201000-memory.dmpFilesize
4KB
-
memory/1728-7-0x0000000000000000-mapping.dmp