Analysis
-
max time kernel
148s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 16:26
Static task
static1
Behavioral task
behavioral1
Sample
admin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
admin.exe
Resource
win10v20201028
General
-
Target
admin.exe
-
Size
36KB
-
MD5
d64ae064a4fc5d008723a2d092d232e5
-
SHA1
de033ba17f3b675d6907e154a0444e73b572f7ef
-
SHA256
6cec4d45ec32bf036c8b5a513e029a5012c799e16acef1481e41822ba20dce8a
-
SHA512
040e80fea05c97c621330d4fc423a83452a57a4c28f862e529a8259e87d58c3c153971ef17565274f7ec1385e34ada443e6f7526244dafab59a209047c0e7ec1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
admin@adipico.com - Password:
HELPMELORD@2021
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
admin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\admin.exe\"" admin.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4768-8-0x0000000005EC0000-0x0000000005F24000-memory.dmp family_agenttesla behavioral2/memory/2312-21-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2312-24-0x000000000043745E-mapping.dmp family_agenttesla behavioral2/memory/2880-29-0x000000000043745E-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
admin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion admin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion admin.exe -
Drops startup file 2 IoCs
Processes:
admin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\admin.exe admin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\admin.exe admin.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
admin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection admin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" admin.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet admin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" admin.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths admin.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions admin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\admin.exe = "0" admin.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features admin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\admin.exe = "0" admin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" admin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" admin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
admin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\admin.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\admin.exe" admin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\admin.exe" admin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
admin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum admin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 admin.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
Processes:
admin.exepid process 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe 4768 admin.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
admin.exedescription pid process target process PID 4768 set thread context of 2312 4768 admin.exe admin.exe PID 4768 set thread context of 2880 4768 admin.exe admin.exe PID 4768 set thread context of 4088 4768 admin.exe admin.exe PID 4768 set thread context of 1676 4768 admin.exe admin.exe PID 4768 set thread context of 1632 4768 admin.exe admin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
admin.exepowershell.exepowershell.exepowershell.exepowershell.exeadmin.exepid process 4768 admin.exe 696 powershell.exe 1256 powershell.exe 1488 powershell.exe 912 powershell.exe 2312 admin.exe 2312 admin.exe 912 powershell.exe 1256 powershell.exe 696 powershell.exe 1488 powershell.exe 912 powershell.exe 1256 powershell.exe 696 powershell.exe 1488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
admin.exepowershell.exepowershell.exepowershell.exepowershell.exeadmin.exedescription pid process Token: SeDebugPrivilege 4768 admin.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeDebugPrivilege 1256 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 2312 admin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
admin.exepid process 2312 admin.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
admin.exedescription pid process target process PID 4768 wrote to memory of 912 4768 admin.exe powershell.exe PID 4768 wrote to memory of 912 4768 admin.exe powershell.exe PID 4768 wrote to memory of 912 4768 admin.exe powershell.exe PID 4768 wrote to memory of 696 4768 admin.exe powershell.exe PID 4768 wrote to memory of 696 4768 admin.exe powershell.exe PID 4768 wrote to memory of 696 4768 admin.exe powershell.exe PID 4768 wrote to memory of 1256 4768 admin.exe powershell.exe PID 4768 wrote to memory of 1256 4768 admin.exe powershell.exe PID 4768 wrote to memory of 1256 4768 admin.exe powershell.exe PID 4768 wrote to memory of 1488 4768 admin.exe powershell.exe PID 4768 wrote to memory of 1488 4768 admin.exe powershell.exe PID 4768 wrote to memory of 1488 4768 admin.exe powershell.exe PID 4768 wrote to memory of 2312 4768 admin.exe admin.exe PID 4768 wrote to memory of 2312 4768 admin.exe admin.exe PID 4768 wrote to memory of 2312 4768 admin.exe admin.exe PID 4768 wrote to memory of 2312 4768 admin.exe admin.exe PID 4768 wrote to memory of 2312 4768 admin.exe admin.exe PID 4768 wrote to memory of 2312 4768 admin.exe admin.exe PID 4768 wrote to memory of 2312 4768 admin.exe admin.exe PID 4768 wrote to memory of 2312 4768 admin.exe admin.exe PID 4768 wrote to memory of 2880 4768 admin.exe admin.exe PID 4768 wrote to memory of 2880 4768 admin.exe admin.exe PID 4768 wrote to memory of 2880 4768 admin.exe admin.exe PID 4768 wrote to memory of 2880 4768 admin.exe admin.exe PID 4768 wrote to memory of 2880 4768 admin.exe admin.exe PID 4768 wrote to memory of 2880 4768 admin.exe admin.exe PID 4768 wrote to memory of 2880 4768 admin.exe admin.exe PID 4768 wrote to memory of 2880 4768 admin.exe admin.exe PID 4768 wrote to memory of 4088 4768 admin.exe admin.exe PID 4768 wrote to memory of 4088 4768 admin.exe admin.exe PID 4768 wrote to memory of 4088 4768 admin.exe admin.exe PID 4768 wrote to memory of 4088 4768 admin.exe admin.exe PID 4768 wrote to memory of 1676 4768 admin.exe admin.exe PID 4768 wrote to memory of 1676 4768 admin.exe admin.exe PID 4768 wrote to memory of 1676 4768 admin.exe admin.exe PID 4768 wrote to memory of 1676 4768 admin.exe admin.exe PID 4768 wrote to memory of 1676 4768 admin.exe admin.exe PID 4768 wrote to memory of 1676 4768 admin.exe admin.exe PID 4768 wrote to memory of 1676 4768 admin.exe admin.exe PID 4768 wrote to memory of 1676 4768 admin.exe admin.exe PID 4768 wrote to memory of 1632 4768 admin.exe admin.exe PID 4768 wrote to memory of 1632 4768 admin.exe admin.exe PID 4768 wrote to memory of 1632 4768 admin.exe admin.exe PID 4768 wrote to memory of 1632 4768 admin.exe admin.exe PID 4768 wrote to memory of 1632 4768 admin.exe admin.exe PID 4768 wrote to memory of 1632 4768 admin.exe admin.exe PID 4768 wrote to memory of 1632 4768 admin.exe admin.exe PID 4768 wrote to memory of 1632 4768 admin.exe admin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\admin.exe"C:\Users\Admin\AppData\Local\Temp\admin.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\admin.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\admin.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\admin.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\admin.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\admin.exe"C:\Users\Admin\AppData\Local\Temp\admin.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\admin.exe"C:\Users\Admin\AppData\Local\Temp\admin.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\admin.exe"C:\Users\Admin\AppData\Local\Temp\admin.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\admin.exe"C:\Users\Admin\AppData\Local\Temp\admin.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\admin.exe"C:\Users\Admin\AppData\Local\Temp\admin.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e273820a97ad432278b15cab48392ed2
SHA1ba49fafc9a1e4b97decaa24b16c7704dc7239ab2
SHA256e23a96a1c6112c369495cd5efae301bd9814e41e3f59c09548aa1d40e4f17253
SHA512cc67199b2e9fdbf97ac4e248305e0e894bd17747a04a3e9f2ec2fce00c0959038d1bf6b237c69ce372649f28dc8ae63f109589e3e931c3f5525d33cc13f3bb12
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f595b1bba75548eeea6f324ecfcaf9dc
SHA11419bb80563a3e5e9b6b5b042266ad43c08a251c
SHA2561f9cf0cd4083d5fc5166c4a8dacde45b881e3a82964226c48bf93434f90ddae4
SHA512243d47fe27658dae98f0868982476ddc2656bbf1aa24faffe7415cc73498bb9ce00c63575f79a69f5c3c25c8a6ab2cc72f27757a919431d7c25c33ef50a34c43
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
438a2f13bf63b925189b582a342d78fe
SHA15bb060bb26f649dbe1a8ed481981ccd8fc4b0067
SHA2569d4919b1fa7fbbb57542bb2789cde33bf0075bef440ec320b6ac84a97a9174cd
SHA5122fd19f1340f13cebbaeb72987e6eeeef225957ffd0135f42d7f026d34c99d8dfe6cc6044fe333083f8f599805aa0a9109f321b6f7043865944eb46f839059929
-
memory/696-124-0x000000007FB10000-0x000000007FB11000-memory.dmpFilesize
4KB
-
memory/696-39-0x00000000068B0000-0x00000000068B1000-memory.dmpFilesize
4KB
-
memory/696-15-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB
-
memory/696-45-0x00000000068B2000-0x00000000068B3000-memory.dmpFilesize
4KB
-
memory/696-11-0x0000000000000000-mapping.dmp
-
memory/696-132-0x00000000068B3000-0x00000000068B4000-memory.dmpFilesize
4KB
-
memory/912-16-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/912-114-0x0000000009880000-0x0000000009881000-memory.dmpFilesize
4KB
-
memory/912-10-0x0000000000000000-mapping.dmp
-
memory/912-135-0x0000000007523000-0x0000000007524000-memory.dmpFilesize
4KB
-
memory/912-18-0x0000000007B60000-0x0000000007B61000-memory.dmpFilesize
4KB
-
memory/912-123-0x000000007E780000-0x000000007E781000-memory.dmpFilesize
4KB
-
memory/912-117-0x00000000099F0000-0x00000000099F1000-memory.dmpFilesize
4KB
-
memory/912-14-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB
-
memory/912-70-0x00000000082D0000-0x00000000082D1000-memory.dmpFilesize
4KB
-
memory/912-50-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/912-58-0x0000000008370000-0x0000000008371000-memory.dmpFilesize
4KB
-
memory/912-35-0x0000000007520000-0x0000000007521000-memory.dmpFilesize
4KB
-
memory/912-136-0x00000000097A0000-0x00000000097A1000-memory.dmpFilesize
4KB
-
memory/912-37-0x0000000007522000-0x0000000007523000-memory.dmpFilesize
4KB
-
memory/912-54-0x0000000008300000-0x0000000008301000-memory.dmpFilesize
4KB
-
memory/1256-20-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB
-
memory/1256-12-0x0000000000000000-mapping.dmp
-
memory/1256-51-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/1256-121-0x000000007F430000-0x000000007F431000-memory.dmpFilesize
4KB
-
memory/1256-144-0x0000000009850000-0x0000000009851000-memory.dmpFilesize
4KB
-
memory/1256-133-0x0000000006F83000-0x0000000006F84000-memory.dmpFilesize
4KB
-
memory/1256-84-0x00000000093B0000-0x00000000093E3000-memory.dmpFilesize
204KB
-
memory/1256-53-0x0000000006F82000-0x0000000006F83000-memory.dmpFilesize
4KB
-
memory/1256-74-0x0000000008310000-0x0000000008311000-memory.dmpFilesize
4KB
-
memory/1256-126-0x00000000098D0000-0x00000000098D1000-memory.dmpFilesize
4KB
-
memory/1488-125-0x000000007E640000-0x000000007E641000-memory.dmpFilesize
4KB
-
memory/1488-13-0x0000000000000000-mapping.dmp
-
memory/1488-134-0x0000000000CC3000-0x0000000000CC4000-memory.dmpFilesize
4KB
-
memory/1488-78-0x0000000007DE0000-0x0000000007DE1000-memory.dmpFilesize
4KB
-
memory/1488-55-0x0000000000CC2000-0x0000000000CC3000-memory.dmpFilesize
4KB
-
memory/1488-22-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB
-
memory/1488-52-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/1676-42-0x000000000043745E-mapping.dmp
-
memory/1676-46-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB
-
memory/2312-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2312-156-0x00000000069F0000-0x00000000069F1000-memory.dmpFilesize
4KB
-
memory/2312-24-0x000000000043745E-mapping.dmp
-
memory/2312-41-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/2312-130-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/2312-26-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB
-
memory/2312-158-0x0000000005A41000-0x0000000005A42000-memory.dmpFilesize
4KB
-
memory/2312-157-0x0000000001590000-0x0000000001591000-memory.dmpFilesize
4KB
-
memory/2880-32-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB
-
memory/2880-29-0x000000000043745E-mapping.dmp
-
memory/4088-36-0x000000000043745E-mapping.dmp
-
memory/4768-9-0x0000000005FA0000-0x0000000005FA1000-memory.dmpFilesize
4KB
-
memory/4768-7-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/4768-6-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/4768-5-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/4768-3-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/4768-49-0x0000000006550000-0x0000000006551000-memory.dmpFilesize
4KB
-
memory/4768-8-0x0000000005EC0000-0x0000000005F24000-memory.dmpFilesize
400KB
-
memory/4768-2-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB