Analysis
-
max time kernel
132s -
max time network
73s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 06:53
Static task
static1
Behavioral task
behavioral1
Sample
AWB-20211211.14754943_TR.exe
Resource
win7v20201028
General
-
Target
AWB-20211211.14754943_TR.exe
-
Size
881KB
-
MD5
06f39e6b5df0f09e46de43052a0a1daf
-
SHA1
bc9b010e302178fa30b1a8bb537af717993bd298
-
SHA256
1760b657755f0891214e821f9435509c25cdd5d0da0205e8f390c1b57aad9a77
-
SHA512
437d6eb152eb84f931eeeebb1015de7cb3753498d353bff9fe963cb9ae69eb499d55cc8549cc92b697a7c19d9a26fba418221835688316b7cda58a4933f92467
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.talleresgenerauto.es - Port:
587 - Username:
chapaypintura@talleresgenerauto.es - Password:
talleres20generauto19
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1856-14-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/1856-15-0x000000000043765E-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
AWB-20211211.14754943_TR.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AWB-20211211.14754943_TR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AWB-20211211.14754943_TR.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
AWB-20211211.14754943_TR.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum AWB-20211211.14754943_TR.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 AWB-20211211.14754943_TR.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AWB-20211211.14754943_TR.exedescription pid process target process PID 1404 set thread context of 1856 1404 AWB-20211211.14754943_TR.exe AWB-20211211.14754943_TR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
AWB-20211211.14754943_TR.exeAWB-20211211.14754943_TR.exepid process 1404 AWB-20211211.14754943_TR.exe 1856 AWB-20211211.14754943_TR.exe 1856 AWB-20211211.14754943_TR.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AWB-20211211.14754943_TR.exeAWB-20211211.14754943_TR.exedescription pid process Token: SeDebugPrivilege 1404 AWB-20211211.14754943_TR.exe Token: SeDebugPrivilege 1856 AWB-20211211.14754943_TR.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
AWB-20211211.14754943_TR.exedescription pid process target process PID 1404 wrote to memory of 1596 1404 AWB-20211211.14754943_TR.exe schtasks.exe PID 1404 wrote to memory of 1596 1404 AWB-20211211.14754943_TR.exe schtasks.exe PID 1404 wrote to memory of 1596 1404 AWB-20211211.14754943_TR.exe schtasks.exe PID 1404 wrote to memory of 1856 1404 AWB-20211211.14754943_TR.exe AWB-20211211.14754943_TR.exe PID 1404 wrote to memory of 1856 1404 AWB-20211211.14754943_TR.exe AWB-20211211.14754943_TR.exe PID 1404 wrote to memory of 1856 1404 AWB-20211211.14754943_TR.exe AWB-20211211.14754943_TR.exe PID 1404 wrote to memory of 1856 1404 AWB-20211211.14754943_TR.exe AWB-20211211.14754943_TR.exe PID 1404 wrote to memory of 1856 1404 AWB-20211211.14754943_TR.exe AWB-20211211.14754943_TR.exe PID 1404 wrote to memory of 1856 1404 AWB-20211211.14754943_TR.exe AWB-20211211.14754943_TR.exe PID 1404 wrote to memory of 1856 1404 AWB-20211211.14754943_TR.exe AWB-20211211.14754943_TR.exe PID 1404 wrote to memory of 1856 1404 AWB-20211211.14754943_TR.exe AWB-20211211.14754943_TR.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB-20211211.14754943_TR.exe"C:\Users\Admin\AppData\Local\Temp\AWB-20211211.14754943_TR.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LTTuaoUYZLg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp225E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\AWB-20211211.14754943_TR.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp225E.tmpMD5
2edd515fca32c0b928c804b3fe9f1001
SHA1a95076b38dd09086dd502ebea73ce815b5400f34
SHA2567fa73bed55308c3d8935c581ac44870578efce5a2cd865c8bbb2fc354ae4efe7
SHA51256c5ee4f2e072de9c910b2fc11361af9109600b1312a228f0855fb02b385a731286cc90924cdd37c35bb7201d0c2eccb3c5fc4fb3b6c77e3e1cc7081e11e0786
-
memory/1404-9-0x0000000007950000-0x00000000079EC000-memory.dmpFilesize
624KB
-
memory/1404-11-0x0000000007B30000-0x0000000007B31000-memory.dmpFilesize
4KB
-
memory/1404-6-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/1404-7-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/1404-8-0x0000000005670000-0x000000000567E000-memory.dmpFilesize
56KB
-
memory/1404-2-0x0000000073550000-0x0000000073C3E000-memory.dmpFilesize
6.9MB
-
memory/1404-10-0x0000000007A90000-0x0000000007A91000-memory.dmpFilesize
4KB
-
memory/1404-5-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/1404-3-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/1596-12-0x0000000000000000-mapping.dmp
-
memory/1856-14-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1856-15-0x000000000043765E-mapping.dmp
-
memory/1856-16-0x0000000073550000-0x0000000073C3E000-memory.dmpFilesize
6.9MB
-
memory/1856-21-0x0000000005DB0000-0x0000000005DB1000-memory.dmpFilesize
4KB