Analysis
-
max time kernel
147s -
max time network
71s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
146938fb56dd1017e45b1483dff8e353.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
146938fb56dd1017e45b1483dff8e353.exe
Resource
win10v20201028
General
-
Target
146938fb56dd1017e45b1483dff8e353.exe
-
Size
947KB
-
MD5
146938fb56dd1017e45b1483dff8e353
-
SHA1
7104dada4cff7cd2e1ac643877bca649b35e7aee
-
SHA256
eda77a2a6a764257be0cc3de5d0d316cf149e28912804bda421607d6c8657f4a
-
SHA512
32b0cfbc2673f8eb9079916ba82f07870cfb87195780b82f2cfd4b75670a9d44a5e7239a377c803bc75fe8171a18bc03ea85fe51129f16f0d6ff4991e4914201
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.godforeu.com - Port:
587 - Username:
[email protected] - Password:
O8k#Pz4sk:w_
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3456-5-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3456-6-0x000000000043749E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
146938fb56dd1017e45b1483dff8e353.exedescription pid process target process PID 640 set thread context of 3456 640 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
146938fb56dd1017e45b1483dff8e353.exepid process 3456 146938fb56dd1017e45b1483dff8e353.exe 3456 146938fb56dd1017e45b1483dff8e353.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
146938fb56dd1017e45b1483dff8e353.exedescription pid process Token: SeDebugPrivilege 3456 146938fb56dd1017e45b1483dff8e353.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
146938fb56dd1017e45b1483dff8e353.exedescription pid process target process PID 640 wrote to memory of 3800 640 146938fb56dd1017e45b1483dff8e353.exe schtasks.exe PID 640 wrote to memory of 3800 640 146938fb56dd1017e45b1483dff8e353.exe schtasks.exe PID 640 wrote to memory of 3800 640 146938fb56dd1017e45b1483dff8e353.exe schtasks.exe PID 640 wrote to memory of 3456 640 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe PID 640 wrote to memory of 3456 640 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe PID 640 wrote to memory of 3456 640 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe PID 640 wrote to memory of 3456 640 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe PID 640 wrote to memory of 3456 640 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe PID 640 wrote to memory of 3456 640 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe PID 640 wrote to memory of 3456 640 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe PID 640 wrote to memory of 3456 640 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nwcdFkAETi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57A6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\146938fb56dd1017e45b1483dff8e353.exe.logMD5
5e7bb97636a484b5a87e60373614279a
SHA136bfdec32eedb141a4a106d89a453326f62593ee
SHA25612ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20
SHA512448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56
-
C:\Users\Admin\AppData\Local\Temp\tmp57A6.tmpMD5
e9648d2cb1ca183f9777772e0bb95ead
SHA18f0aa940d56f66f799ebcbd4dcc41c922d19d5b4
SHA2569297234fa37e65b5be0b42ace9a0693d443c8ea010f058bf25a7e3e11cbac563
SHA512e4756f13cd2954a2b429094677ed19aca6c2a8ee4b508c44b5b5e2d110b51f3ed81337859ea4625a4358b225ca1185213cbdbe6f63f9d6f8170fc9eebb228adf
-
memory/640-2-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/640-8-0x0000000002601000-0x0000000002602000-memory.dmpFilesize
4KB
-
memory/3456-5-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3456-6-0x000000000043749E-mapping.dmp
-
memory/3456-9-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/3456-10-0x0000000000D31000-0x0000000000D32000-memory.dmpFilesize
4KB
-
memory/3456-11-0x0000000000D32000-0x0000000000D33000-memory.dmpFilesize
4KB
-
memory/3800-3-0x0000000000000000-mapping.dmp