Analysis
-
max time kernel
116s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
General
-
Target
H8pkkXDMNSesvys.exe
-
Size
524KB
-
MD5
876593a2d1bede193fcc3ef81b5eef4e
-
SHA1
5ad79510851f743bb4be257e36a6a0729c5679d3
-
SHA256
e909cbf5a12f8309b93746f877cb4cdf0b8a41d07c4b2badbf917748679213d2
-
SHA512
1290c80cbd1b81bd3cb845160ee0e513cf186355a5fa4bd91dc02b4ca2cf8a5b06ff31d7db1ca7f9add5062ee92bf52a77f9a56be01f872b10e9b49d3f64af98
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
uz@cairoways.me - Password:
09012345@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload 2 IoCs
-
rezer0 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\H8pkkXDMNSesvys.exe"C:\Users\Admin\AppData\Local\Temp\H8pkkXDMNSesvys.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WQObBcOAIj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2EA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB2EA.tmpMD5
8c1ea820b7efe9ca81c1902e04dad93b
SHA1ffb08591112a8053a677fd7de04bb640e6dc5d98
SHA25634ffde9837baabdbd2bd0e87e76a1eb94f8e86c6c9304bbc91469a370f8585fd
SHA512861cb0479cddd4a2762f70b09138422db897e7611164c8f4e19b0a0d43c2cb1d21a3740e290258a10c4b5fd49455a798708aaacbee68a20b3920ffb5c5512cc6
-
memory/580-9-0x000000000B1C0000-0x000000000B1C1000-memory.dmpFilesize
4KB
-
memory/580-1-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/580-4-0x0000000007FD0000-0x0000000007FD1000-memory.dmpFilesize
4KB
-
memory/580-5-0x0000000007B70000-0x0000000007B71000-memory.dmpFilesize
4KB
-
memory/580-0-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/580-7-0x0000000005030000-0x0000000005033000-memory.dmpFilesize
12KB
-
memory/580-3-0x00000000055B0000-0x0000000005608000-memory.dmpFilesize
352KB
-
memory/580-8-0x000000000AC40000-0x000000000AC93000-memory.dmpFilesize
332KB
-
memory/580-6-0x0000000007B20000-0x0000000007B21000-memory.dmpFilesize
4KB
-
memory/1376-12-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1376-13-0x000000000044C63E-mapping.dmp
-
memory/1376-14-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/1376-19-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/1376-20-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/3844-21-0x0000000000000000-mapping.dmp
-
memory/3916-10-0x0000000000000000-mapping.dmp