Analysis
-
max time kernel
116s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
H8pkkXDMNSesvys.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
H8pkkXDMNSesvys.exe
Resource
win10v20201028
General
-
Target
H8pkkXDMNSesvys.exe
-
Size
524KB
-
MD5
876593a2d1bede193fcc3ef81b5eef4e
-
SHA1
5ad79510851f743bb4be257e36a6a0729c5679d3
-
SHA256
e909cbf5a12f8309b93746f877cb4cdf0b8a41d07c4b2badbf917748679213d2
-
SHA512
1290c80cbd1b81bd3cb845160ee0e513cf186355a5fa4bd91dc02b4ca2cf8a5b06ff31d7db1ca7f9add5062ee92bf52a77f9a56be01f872b10e9b49d3f64af98
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
uz@cairoways.me - Password:
09012345@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral2/memory/580-7-0x0000000005030000-0x0000000005033000-memory.dmp coreentity -
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1376-12-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral2/memory/1376-13-0x000000000044C63E-mapping.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/580-8-0x000000000AC40000-0x000000000AC93000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
H8pkkXDMNSesvys.exedescription pid process target process PID 580 set thread context of 1376 580 H8pkkXDMNSesvys.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1376 RegSvcs.exe 1376 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
H8pkkXDMNSesvys.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 580 H8pkkXDMNSesvys.exe Token: SeDebugPrivilege 1376 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
H8pkkXDMNSesvys.exeRegSvcs.exepid process 580 H8pkkXDMNSesvys.exe 580 H8pkkXDMNSesvys.exe 1376 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
H8pkkXDMNSesvys.exeRegSvcs.exedescription pid process target process PID 580 wrote to memory of 3916 580 H8pkkXDMNSesvys.exe schtasks.exe PID 580 wrote to memory of 3916 580 H8pkkXDMNSesvys.exe schtasks.exe PID 580 wrote to memory of 3916 580 H8pkkXDMNSesvys.exe schtasks.exe PID 580 wrote to memory of 1376 580 H8pkkXDMNSesvys.exe RegSvcs.exe PID 580 wrote to memory of 1376 580 H8pkkXDMNSesvys.exe RegSvcs.exe PID 580 wrote to memory of 1376 580 H8pkkXDMNSesvys.exe RegSvcs.exe PID 580 wrote to memory of 1376 580 H8pkkXDMNSesvys.exe RegSvcs.exe PID 580 wrote to memory of 1376 580 H8pkkXDMNSesvys.exe RegSvcs.exe PID 580 wrote to memory of 1376 580 H8pkkXDMNSesvys.exe RegSvcs.exe PID 580 wrote to memory of 1376 580 H8pkkXDMNSesvys.exe RegSvcs.exe PID 580 wrote to memory of 1376 580 H8pkkXDMNSesvys.exe RegSvcs.exe PID 1376 wrote to memory of 3844 1376 RegSvcs.exe netsh.exe PID 1376 wrote to memory of 3844 1376 RegSvcs.exe netsh.exe PID 1376 wrote to memory of 3844 1376 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\H8pkkXDMNSesvys.exe"C:\Users\Admin\AppData\Local\Temp\H8pkkXDMNSesvys.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WQObBcOAIj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2EA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB2EA.tmpMD5
8c1ea820b7efe9ca81c1902e04dad93b
SHA1ffb08591112a8053a677fd7de04bb640e6dc5d98
SHA25634ffde9837baabdbd2bd0e87e76a1eb94f8e86c6c9304bbc91469a370f8585fd
SHA512861cb0479cddd4a2762f70b09138422db897e7611164c8f4e19b0a0d43c2cb1d21a3740e290258a10c4b5fd49455a798708aaacbee68a20b3920ffb5c5512cc6
-
memory/580-9-0x000000000B1C0000-0x000000000B1C1000-memory.dmpFilesize
4KB
-
memory/580-1-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/580-4-0x0000000007FD0000-0x0000000007FD1000-memory.dmpFilesize
4KB
-
memory/580-5-0x0000000007B70000-0x0000000007B71000-memory.dmpFilesize
4KB
-
memory/580-0-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/580-7-0x0000000005030000-0x0000000005033000-memory.dmpFilesize
12KB
-
memory/580-3-0x00000000055B0000-0x0000000005608000-memory.dmpFilesize
352KB
-
memory/580-8-0x000000000AC40000-0x000000000AC93000-memory.dmpFilesize
332KB
-
memory/580-6-0x0000000007B20000-0x0000000007B21000-memory.dmpFilesize
4KB
-
memory/1376-12-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1376-13-0x000000000044C63E-mapping.dmp
-
memory/1376-14-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/1376-19-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/1376-20-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/3844-21-0x0000000000000000-mapping.dmp
-
memory/3916-10-0x0000000000000000-mapping.dmp