Resubmissions
01-12-2020 15:01
201201-3yr3d6cakn 10Analysis
-
max time kernel
118s -
max time network
19s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-12-2020 15:01
Static task
static1
Behavioral task
behavioral1
Sample
Payment.exe
Resource
win7v20201028
General
-
Target
Payment.exe
-
Size
1.0MB
-
MD5
6b30bab8e1f4ff60acca54a249517bd5
-
SHA1
4a934e2daf22ee33f1aea1cd49cdd294986efc16
-
SHA256
bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e
-
SHA512
6ab09364ace6407d9cd139e1f564f6d38134a13d0b7281aeca74e8d3f1a76199a794c248c1ef7a5ded326765cac7f4b94d0bba484b76f33457db49a620852ac7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.shirdilog.com - Port:
587 - Username:
[email protected] - Password:
SL094521
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/992-9-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/992-10-0x00000000004612BE-mapping.dmp family_agenttesla behavioral1/memory/992-12-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/992-11-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Payment.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Payment.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1684 set thread context of 992 1684 Payment.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1088 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 308 REG.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 992 Payment.exe 992 Payment.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 992 Payment.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 992 Payment.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1088 1684 Payment.exe 30 PID 1684 wrote to memory of 1088 1684 Payment.exe 30 PID 1684 wrote to memory of 1088 1684 Payment.exe 30 PID 1684 wrote to memory of 1088 1684 Payment.exe 30 PID 1684 wrote to memory of 992 1684 Payment.exe 32 PID 1684 wrote to memory of 992 1684 Payment.exe 32 PID 1684 wrote to memory of 992 1684 Payment.exe 32 PID 1684 wrote to memory of 992 1684 Payment.exe 32 PID 1684 wrote to memory of 992 1684 Payment.exe 32 PID 1684 wrote to memory of 992 1684 Payment.exe 32 PID 1684 wrote to memory of 992 1684 Payment.exe 32 PID 1684 wrote to memory of 992 1684 Payment.exe 32 PID 1684 wrote to memory of 992 1684 Payment.exe 32 PID 992 wrote to memory of 308 992 Payment.exe 33 PID 992 wrote to memory of 308 992 Payment.exe 33 PID 992 wrote to memory of 308 992 Payment.exe 33 PID 992 wrote to memory of 308 992 Payment.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gnFZsnV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60E5.tmp"2⤵
- Creates scheduled task(s)
PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / v NoRun / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
PID:308
-
-