Overview

overview

10

Static

static

admin.exe

windows7_x64

10

admin.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    104s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    admin.exe

  • Size

    36KB

  • MD5

    d64ae064a4fc5d008723a2d092d232e5

  • SHA1

    de033ba17f3b675d6907e154a0444e73b572f7ef

  • SHA256

    6cec4d45ec32bf036c8b5a513e029a5012c799e16acef1481e41822ba20dce8a

  • SHA512

    040e80fea05c97c621330d4fc423a83452a57a4c28f862e529a8259e87d58c3c153971ef17565274f7ec1385e34ada443e6f7526244dafab59a209047c0e7ec1

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    admin@adipico.com
  • Password:
    HELPMELORD@2021

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 4 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\admin.exe
    "C:\Users\Admin\AppData\Local\Temp\admin.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\admin.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:912
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\admin.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:696
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\admin.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\admin.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Users\Admin\AppData\Local\Temp\admin.exe
      "C:\Users\Admin\AppData\Local\Temp\admin.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2312
    • C:\Users\Admin\AppData\Local\Temp\admin.exe
      "C:\Users\Admin\AppData\Local\Temp\admin.exe"
      2⤵
        PID:2880
      • C:\Users\Admin\AppData\Local\Temp\admin.exe
        "C:\Users\Admin\AppData\Local\Temp\admin.exe"
        2⤵
          PID:4088
        • C:\Users\Admin\AppData\Local\Temp\admin.exe
          "C:\Users\Admin\AppData\Local\Temp\admin.exe"
          2⤵
            PID:1676
          • C:\Users\Admin\AppData\Local\Temp\admin.exe
            "C:\Users\Admin\AppData\Local\Temp\admin.exe"
            2⤵
              PID:1632

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Winlogon Helper DLL

          1
          T1004

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          5
          T1112

          Disabling Security Tools

          3
          T1089

          Virtualization/Sandbox Evasion

          2
          T1497

          Credential Access

          Credentials in Files

          3
          T1081

          Discovery

          Query Registry

          4
          T1012

          Virtualization/Sandbox Evasion

          2
          T1497

          System Information Discovery

          3
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Data from Local System

          3
          T1005

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            MD5

            1c19c16e21c97ed42d5beabc93391fc5

            SHA1

            8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

            SHA256

            1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

            SHA512

            7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            e273820a97ad432278b15cab48392ed2

            SHA1

            ba49fafc9a1e4b97decaa24b16c7704dc7239ab2

            SHA256

            e23a96a1c6112c369495cd5efae301bd9814e41e3f59c09548aa1d40e4f17253

            SHA512

            cc67199b2e9fdbf97ac4e248305e0e894bd17747a04a3e9f2ec2fce00c0959038d1bf6b237c69ce372649f28dc8ae63f109589e3e931c3f5525d33cc13f3bb12

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            f595b1bba75548eeea6f324ecfcaf9dc

            SHA1

            1419bb80563a3e5e9b6b5b042266ad43c08a251c

            SHA256

            1f9cf0cd4083d5fc5166c4a8dacde45b881e3a82964226c48bf93434f90ddae4

            SHA512

            243d47fe27658dae98f0868982476ddc2656bbf1aa24faffe7415cc73498bb9ce00c63575f79a69f5c3c25c8a6ab2cc72f27757a919431d7c25c33ef50a34c43

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            438a2f13bf63b925189b582a342d78fe

            SHA1

            5bb060bb26f649dbe1a8ed481981ccd8fc4b0067

            SHA256

            9d4919b1fa7fbbb57542bb2789cde33bf0075bef440ec320b6ac84a97a9174cd

            SHA512

            2fd19f1340f13cebbaeb72987e6eeeef225957ffd0135f42d7f026d34c99d8dfe6cc6044fe333083f8f599805aa0a9109f321b6f7043865944eb46f839059929

            Download Submit
          • memory/696-124-0x000000007FB10000-0x000000007FB11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/696-39-0x00000000068B0000-0x00000000068B1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/696-15-0x00000000732D0000-0x00000000739BE000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/696-45-0x00000000068B2000-0x00000000068B3000-memory.dmp
            Filesize

            4KB

            Download
          • memory/696-11-0x0000000000000000-mapping.dmp
            Download
          • memory/696-132-0x00000000068B3000-0x00000000068B4000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-16-0x0000000004F90000-0x0000000004F91000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-114-0x0000000009880000-0x0000000009881000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-10-0x0000000000000000-mapping.dmp
            Download
          • memory/912-135-0x0000000007523000-0x0000000007524000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-18-0x0000000007B60000-0x0000000007B61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-123-0x000000007E780000-0x000000007E781000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-117-0x00000000099F0000-0x00000000099F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-14-0x00000000732D0000-0x00000000739BE000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/912-70-0x00000000082D0000-0x00000000082D1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-50-0x0000000007A00000-0x0000000007A01000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-58-0x0000000008370000-0x0000000008371000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-35-0x0000000007520000-0x0000000007521000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-136-0x00000000097A0000-0x00000000097A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-37-0x0000000007522000-0x0000000007523000-memory.dmp
            Filesize

            4KB

            Download
          • memory/912-54-0x0000000008300000-0x0000000008301000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1256-20-0x00000000732D0000-0x00000000739BE000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1256-12-0x0000000000000000-mapping.dmp
            Download
          • memory/1256-51-0x0000000006F80000-0x0000000006F81000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1256-121-0x000000007F430000-0x000000007F431000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1256-144-0x0000000009850000-0x0000000009851000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1256-133-0x0000000006F83000-0x0000000006F84000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1256-84-0x00000000093B0000-0x00000000093E3000-memory.dmp
            Filesize

            204KB

            Download
          • memory/1256-53-0x0000000006F82000-0x0000000006F83000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1256-74-0x0000000008310000-0x0000000008311000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1256-126-0x00000000098D0000-0x00000000098D1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1488-125-0x000000007E640000-0x000000007E641000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1488-13-0x0000000000000000-mapping.dmp
            Download
          • memory/1488-134-0x0000000000CC3000-0x0000000000CC4000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1488-78-0x0000000007DE0000-0x0000000007DE1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1488-55-0x0000000000CC2000-0x0000000000CC3000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1488-22-0x00000000732D0000-0x00000000739BE000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1488-52-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1676-42-0x000000000043745E-mapping.dmp
            Download
          • memory/1676-46-0x00000000732D0000-0x00000000739BE000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2312-21-0x0000000000400000-0x000000000043C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/2312-156-0x00000000069F0000-0x00000000069F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2312-24-0x000000000043745E-mapping.dmp
            Download
          • memory/2312-41-0x0000000005A40000-0x0000000005A41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2312-130-0x0000000005A10000-0x0000000005A11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2312-26-0x00000000732D0000-0x00000000739BE000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2312-158-0x0000000005A41000-0x0000000005A42000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2312-157-0x0000000001590000-0x0000000001591000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2880-32-0x00000000732D0000-0x00000000739BE000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2880-29-0x000000000043745E-mapping.dmp
            Download
          • memory/4088-36-0x000000000043745E-mapping.dmp
            Download
          • memory/4768-9-0x0000000005FA0000-0x0000000005FA1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-7-0x0000000005140000-0x0000000005141000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-6-0x0000000005540000-0x0000000005541000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-5-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-3-0x00000000007A0000-0x00000000007A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-49-0x0000000006550000-0x0000000006551000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-8-0x0000000005EC0000-0x0000000005F24000-memory.dmp
            Filesize

            400KB

            Download
          • memory/4768-2-0x00000000732D0000-0x00000000739BE000-memory.dmp
            Filesize

            6.9MB

            Download