Overview
overview
10Static
static
80x00010000...55.exe
windows7_x64
10x00010000...55.exe
windows10_x64
10x00010000...47.exe
windows7_x64
10x00010000...47.exe
windows10_x64
10x00010000...70.exe
windows7_x64
80x00010000...70.exe
windows10_x64
80x00010000...13.exe
windows7_x64
80x00010000...13.exe
windows10_x64
80x00020000...73.exe
windows7_x64
10x00020000...73.exe
windows10_x64
10x00020000...83.exe
windows7_x64
100x00020000...83.exe
windows10_x64
100x00020000...36.exe
windows7_x64
80x00020000...36.exe
windows10_x64
80x00020000...40.exe
windows7_x64
70x00020000...40.exe
windows10_x64
70x00030000...09.exe
windows7_x64
100x00030000...09.exe
windows10_x64
100x00030000...22.exe
windows7_x64
100x00030000...22.exe
windows10_x64
100x00030000...26.exe
windows7_x64
100x00030000...26.exe
windows10_x64
0x00030000...34.exe
windows7_x64
100x00030000...34.exe
windows10_x64
100x00030000...06.exe
windows7_x64
100x00030000...06.exe
windows10_x64
100x00030000...41.exe
windows7_x64
100x00030000...41.exe
windows10_x64
100x00030000...45.exe
windows7_x64
10x00030000...45.exe
windows10_x64
10x00030000...48.exe
windows7_x64
80x00030000...48.exe
windows10_x64
8Analysis
-
max time kernel
127s -
max time network
132s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-11-2020 10:45
Behavioral task
behavioral1
Sample
0x000100000001ab86-55.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0x000100000001ab86-55.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
0x000100000001ab87-47.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
0x000100000001ab87-47.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
0x000100000001ab9c-70.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
0x000100000001ab9c-70.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
0x000100000001ad02-313.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
0x000100000001ad02-313.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
0x000200000001aca8-173.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
0x000200000001aca8-173.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
0x000200000001acb5-183.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
0x000200000001acb5-183.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
0x000200000001acdf-236.exe
Resource
win7v20201028
Behavioral task
behavioral14
Sample
0x000200000001acdf-236.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
0x000200000001ace9-240.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
0x000200000001ace9-240.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
0x000300000001a5a2-209.exe
Resource
win7v20201028
Behavioral task
behavioral18
Sample
0x000300000001a5a2-209.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
0x000300000001ac90-122.exe
Resource
win7v20201028
Behavioral task
behavioral20
Sample
0x000300000001ac90-122.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
0x000300000001ac99-126.exe
Resource
win7v20201028
Behavioral task
behavioral22
Sample
0x000300000001ac99-126.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
0x000300000001ac9e-134.exe
Resource
win7v20201028
Behavioral task
behavioral24
Sample
0x000300000001ac9e-134.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
0x000300000001ac9e-206.exe
Resource
win7v20201028
Behavioral task
behavioral26
Sample
0x000300000001ac9e-206.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
0x000300000001ac9f-141.exe
Resource
win7v20201028
Behavioral task
behavioral28
Sample
0x000300000001ac9f-141.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
0x000300000001acec-245.exe
Resource
win7v20201028
Behavioral task
behavioral30
Sample
0x000300000001acec-245.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
0x000300000001aced-248.exe
Resource
win7v20201028
Behavioral task
behavioral32
Sample
0x000300000001aced-248.exe
Resource
win10v20201028
General
-
Target
0x000300000001ac90-122.exe
-
Size
411KB
-
MD5
ceec23bdfaa35e0eeee0bb318f9d339f
-
SHA1
69337754824f165accef920ec90d25aae72da9ca
-
SHA256
e6ba7316c20de986784a205b13617c3c13ce4daa628a26d0c2d4bbf0fe7a21c6
-
SHA512
7d401409ab447ebbcd1412e192815a8f257e4fb947feb5f69834e4a97efa7031b4ff1fcd5f1d97277a465a96b12c78ef6ae79795e416cb14f4beb3dfa0bc6e47
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Processes:
resource yara_rule behavioral19/memory/1080-3-0x0000000006450000-0x0000000006474000-memory.dmp agent_tesla behavioral19/memory/1080-4-0x00000000064C0000-0x00000000064E3000-memory.dmp agent_tesla -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.amazonaws.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0x000300000001ac90-122.exepid process 1080 0x000300000001ac90-122.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0x000300000001ac90-122.exedescription pid process Token: SeDebugPrivilege 1080 0x000300000001ac90-122.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0x000300000001ac90-122.execmd.exedescription pid process target process PID 1080 wrote to memory of 1636 1080 0x000300000001ac90-122.exe cmd.exe PID 1080 wrote to memory of 1636 1080 0x000300000001ac90-122.exe cmd.exe PID 1080 wrote to memory of 1636 1080 0x000300000001ac90-122.exe cmd.exe PID 1080 wrote to memory of 1636 1080 0x000300000001ac90-122.exe cmd.exe PID 1636 wrote to memory of 1860 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 1860 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 1860 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 1860 1636 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000300000001ac90-122.exe"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac90-122.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-0-0x0000000006070000-0x0000000006081000-memory.dmpFilesize
68KB
-
memory/1080-1-0x0000000006150000-0x0000000006161000-memory.dmpFilesize
68KB
-
memory/1080-2-0x0000000074690000-0x0000000074D7E000-memory.dmpFilesize
6.9MB
-
memory/1080-3-0x0000000006450000-0x0000000006474000-memory.dmpFilesize
144KB
-
memory/1080-4-0x00000000064C0000-0x00000000064E3000-memory.dmpFilesize
140KB
-
memory/1636-5-0x0000000000000000-mapping.dmp
-
memory/1860-6-0x0000000000000000-mapping.dmp