Analysis
-
max time kernel
86s -
max time network
87s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-01-2021 17:56
Static task
static1
Behavioral task
behavioral1
Sample
Build.exe
Resource
win7v20201028
Errors
General
-
Target
Build.exe
-
Size
533KB
-
MD5
be064c1864b02feab6d41ed1a0ecf2a0
-
SHA1
be285923433bbd32e8c896bb71910180a15cf61f
-
SHA256
d2b4d092f178023c22ec781d1ead02de46a5b5b159cc1930220e44d9f1168225
-
SHA512
4aad663524f7f012c438940040b2a3c0a9e552b5a64306827cb3deb642cacae54ca62a70fa9b2261681f14dfd67feb07eb80e6196b320d8b400f45aa303cb40c
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
resource yara_rule behavioral1/memory/2008-5-0x000000001AF60000-0x000000001B06A000-memory.dmp agent_tesla -
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 652 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org 10 ip-api.com 12 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
Processes:
Build.exepid process 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1972 timeout.exe -
Processes:
Build.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 Build.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C Build.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Build.exepid process 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe 2008 Build.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Build.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2008 Build.exe Token: 33 1232 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1232 AUDIODG.EXE Token: 33 1232 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1232 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Build.execmd.exedescription pid process target process PID 2008 wrote to memory of 652 2008 Build.exe cmd.exe PID 2008 wrote to memory of 652 2008 Build.exe cmd.exe PID 2008 wrote to memory of 652 2008 Build.exe cmd.exe PID 652 wrote to memory of 1972 652 cmd.exe timeout.exe PID 652 wrote to memory of 1972 652 cmd.exe timeout.exe PID 652 wrote to memory of 1972 652 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp66BF.tmp.cmd""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1972
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1660
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5601⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
88f63ee2513c67d4c84d87560ba2cc33
SHA19e08c0cf906ae36c85e66ab8ddd458b3cce3e65a
SHA256161c17781e42c75096ebe2f34c35fe0d035d5d76baa176cf784aa4eacbdf9edc
SHA512c1344366005f896f333272b0377d4b2086c9c5ae859baf0f34f3893d496097292b78a55bda0bae7a51e4c159134bf01cc086d6fca38aa2170fb7b9670f17ba8d