Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 16:25
Static task
static1
Behavioral task
behavioral1
Sample
iym.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
iym.exe
Resource
win10v20201028
General
-
Target
iym.exe
-
Size
20KB
-
MD5
9d1c8d505aed4eb37bd5530a0b5b3b10
-
SHA1
8727180dafb631c287957dedbcc4f989fb0a5825
-
SHA256
1730e8fd738a26adbe3f0b31192adf6d4cc175f021b2d06e6278e36a43efef40
-
SHA512
0a1776064a7a82a53881036ed2b3ab9a30f0c842c826543202cbf6399cb10f6ca2544e95672e87ab59c84d5778544aa89dfaa802ab843aa57bf6bcbeb4f27bea
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
edubrazil4040@longjohn.icu - Password:
GODBLESS2021@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
iym.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\iym.exe\"" iym.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4700-10-0x0000000005E90000-0x0000000005EF4000-memory.dmp family_agenttesla behavioral2/memory/1796-32-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/1796-33-0x00000000004374DE-mapping.dmp family_agenttesla behavioral2/memory/2360-46-0x00000000004374DE-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
iym.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion iym.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion iym.exe -
Drops startup file 2 IoCs
Processes:
iym.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iym.exe iym.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iym.exe iym.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
iym.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\iym.exe = "0" iym.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection iym.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features iym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" iym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" iym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" iym.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths iym.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions iym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iym.exe = "0" iym.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iym.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet iym.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iym.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iym.exe" iym.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\iym.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iym.exe" iym.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
iym.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum iym.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 iym.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
iym.exepid process 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe 4700 iym.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
iym.exedescription pid process target process PID 4700 set thread context of 1796 4700 iym.exe iym.exe PID 4700 set thread context of 1876 4700 iym.exe iym.exe PID 4700 set thread context of 2068 4700 iym.exe iym.exe PID 4700 set thread context of 2360 4700 iym.exe iym.exe PID 4700 set thread context of 2792 4700 iym.exe iym.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
iym.exeiym.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4700 iym.exe 1796 iym.exe 1796 iym.exe 68 powershell.exe 3188 powershell.exe 804 powershell.exe 4316 powershell.exe 3188 powershell.exe 68 powershell.exe 4316 powershell.exe 804 powershell.exe 804 powershell.exe 68 powershell.exe 3188 powershell.exe 4316 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
iym.exeiym.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4700 iym.exe Token: SeDebugPrivilege 1796 iym.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeDebugPrivilege 3188 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeDebugPrivilege 68 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iym.exepid process 1796 iym.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
iym.exedescription pid process target process PID 4700 wrote to memory of 3188 4700 iym.exe powershell.exe PID 4700 wrote to memory of 3188 4700 iym.exe powershell.exe PID 4700 wrote to memory of 3188 4700 iym.exe powershell.exe PID 4700 wrote to memory of 4316 4700 iym.exe powershell.exe PID 4700 wrote to memory of 4316 4700 iym.exe powershell.exe PID 4700 wrote to memory of 4316 4700 iym.exe powershell.exe PID 4700 wrote to memory of 68 4700 iym.exe powershell.exe PID 4700 wrote to memory of 68 4700 iym.exe powershell.exe PID 4700 wrote to memory of 68 4700 iym.exe powershell.exe PID 4700 wrote to memory of 804 4700 iym.exe powershell.exe PID 4700 wrote to memory of 804 4700 iym.exe powershell.exe PID 4700 wrote to memory of 804 4700 iym.exe powershell.exe PID 4700 wrote to memory of 1796 4700 iym.exe iym.exe PID 4700 wrote to memory of 1796 4700 iym.exe iym.exe PID 4700 wrote to memory of 1796 4700 iym.exe iym.exe PID 4700 wrote to memory of 1796 4700 iym.exe iym.exe PID 4700 wrote to memory of 1796 4700 iym.exe iym.exe PID 4700 wrote to memory of 1796 4700 iym.exe iym.exe PID 4700 wrote to memory of 1796 4700 iym.exe iym.exe PID 4700 wrote to memory of 1796 4700 iym.exe iym.exe PID 4700 wrote to memory of 1876 4700 iym.exe iym.exe PID 4700 wrote to memory of 1876 4700 iym.exe iym.exe PID 4700 wrote to memory of 1876 4700 iym.exe iym.exe PID 4700 wrote to memory of 1876 4700 iym.exe iym.exe PID 4700 wrote to memory of 2068 4700 iym.exe iym.exe PID 4700 wrote to memory of 2068 4700 iym.exe iym.exe PID 4700 wrote to memory of 2068 4700 iym.exe iym.exe PID 4700 wrote to memory of 2068 4700 iym.exe iym.exe PID 4700 wrote to memory of 2068 4700 iym.exe iym.exe PID 4700 wrote to memory of 2068 4700 iym.exe iym.exe PID 4700 wrote to memory of 2068 4700 iym.exe iym.exe PID 4700 wrote to memory of 2068 4700 iym.exe iym.exe PID 4700 wrote to memory of 2360 4700 iym.exe iym.exe PID 4700 wrote to memory of 2360 4700 iym.exe iym.exe PID 4700 wrote to memory of 2360 4700 iym.exe iym.exe PID 4700 wrote to memory of 2360 4700 iym.exe iym.exe PID 4700 wrote to memory of 2360 4700 iym.exe iym.exe PID 4700 wrote to memory of 2360 4700 iym.exe iym.exe PID 4700 wrote to memory of 2360 4700 iym.exe iym.exe PID 4700 wrote to memory of 2360 4700 iym.exe iym.exe PID 4700 wrote to memory of 2792 4700 iym.exe iym.exe PID 4700 wrote to memory of 2792 4700 iym.exe iym.exe PID 4700 wrote to memory of 2792 4700 iym.exe iym.exe PID 4700 wrote to memory of 2792 4700 iym.exe iym.exe PID 4700 wrote to memory of 2792 4700 iym.exe iym.exe PID 4700 wrote to memory of 2792 4700 iym.exe iym.exe PID 4700 wrote to memory of 2792 4700 iym.exe iym.exe PID 4700 wrote to memory of 2792 4700 iym.exe iym.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\iym.exe"C:\Users\Admin\AppData\Local\Temp\iym.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iym.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iym.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iym.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\iym.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\iym.exe"C:\Users\Admin\AppData\Local\Temp\iym.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\iym.exe"C:\Users\Admin\AppData\Local\Temp\iym.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\iym.exe"C:\Users\Admin\AppData\Local\Temp\iym.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\iym.exe"C:\Users\Admin\AppData\Local\Temp\iym.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\iym.exe"C:\Users\Admin\AppData\Local\Temp\iym.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c346de650c4f10d51cb71527ebf5f514
SHA1163d9955419932180beb9dfa8d9f1c54bd3b57f4
SHA2560e4effa7abff4956f2d114ea033c846b78f9fedb59d7f021f8baf3f57bf4b6ab
SHA512729cef61ad0772fd7a15563c0ab1ef654575ec483c985f3ee49a3d9df85f2a68e434d740c23316c87e94a940798b2bccb83df63272335469aeb00bc27d55fcc2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ac48c2605180be86d6964390d269b66d
SHA1dbe982cf0076bf2992c52b9a2cdf5bc3971d5aeb
SHA256ba6357e03b944a1b703bc53f801f27875bef5c167bc4fd787789f99e0f5be65e
SHA5126da7c8e22e83647f238bedb27b269ffd89e6c14d5af495db2815059de461d6d4472617c3829ae55ee71c0ed43164b07cb8ed9d54c83b4288ce01c683e2956cba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8263280127ffccfb8d4ec41005db0395
SHA19b070963aa18669b9ef7c8584634a74b76e404ff
SHA256e25474fd6fc223608061a14de686155b2ea3768ca3afb84c6b0b43a630256894
SHA512b8c0e5ea48fb280da2caf61e0e5a98df356baf4f46d3901443014583bce2e39816db7358f074ef6cbdf8882764b8fa93244b87ea008ade849fcfda1483c65c81
-
memory/68-134-0x0000000006A63000-0x0000000006A64000-memory.dmpFilesize
4KB
-
memory/68-45-0x0000000006A62000-0x0000000006A63000-memory.dmpFilesize
4KB
-
memory/68-18-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/68-54-0x0000000006E20000-0x0000000006E21000-memory.dmpFilesize
4KB
-
memory/68-23-0x0000000006A60000-0x0000000006A61000-memory.dmpFilesize
4KB
-
memory/68-105-0x000000007ED20000-0x000000007ED21000-memory.dmpFilesize
4KB
-
memory/68-58-0x0000000007010000-0x0000000007011000-memory.dmpFilesize
4KB
-
memory/68-14-0x0000000000000000-mapping.dmp
-
memory/68-67-0x0000000007740000-0x0000000007741000-memory.dmpFilesize
4KB
-
memory/804-16-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/804-132-0x0000000000D93000-0x0000000000D94000-memory.dmpFilesize
4KB
-
memory/804-70-0x0000000006C80000-0x0000000006C81000-memory.dmpFilesize
4KB
-
memory/804-52-0x0000000000D92000-0x0000000000D93000-memory.dmpFilesize
4KB
-
memory/804-20-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/804-15-0x0000000000000000-mapping.dmp
-
memory/804-101-0x000000007F530000-0x000000007F531000-memory.dmpFilesize
4KB
-
memory/804-128-0x0000000008EF0000-0x0000000008EF1000-memory.dmpFilesize
4KB
-
memory/1796-158-0x0000000005381000-0x0000000005382000-memory.dmpFilesize
4KB
-
memory/1796-82-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/1796-32-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1796-33-0x00000000004374DE-mapping.dmp
-
memory/1796-35-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/1796-47-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/1876-36-0x00000000004374DE-mapping.dmp
-
memory/2068-38-0x00000000004374DE-mapping.dmp
-
memory/2068-42-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/2360-46-0x00000000004374DE-mapping.dmp
-
memory/2360-48-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/3188-50-0x0000000004BC2000-0x0000000004BC3000-memory.dmpFilesize
4KB
-
memory/3188-110-0x000000007F0E0000-0x000000007F0E1000-memory.dmpFilesize
4KB
-
memory/3188-136-0x0000000009940000-0x0000000009941000-memory.dmpFilesize
4KB
-
memory/3188-135-0x0000000004BC3000-0x0000000004BC4000-memory.dmpFilesize
4KB
-
memory/3188-124-0x0000000009580000-0x0000000009581000-memory.dmpFilesize
4KB
-
memory/3188-12-0x0000000000000000-mapping.dmp
-
memory/3188-78-0x0000000008650000-0x0000000008651000-memory.dmpFilesize
4KB
-
memory/3188-21-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/3188-19-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/3188-74-0x0000000008740000-0x0000000008741000-memory.dmpFilesize
4KB
-
memory/4316-133-0x0000000006813000-0x0000000006814000-memory.dmpFilesize
4KB
-
memory/4316-17-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/4316-87-0x0000000008A80000-0x0000000008AB3000-memory.dmpFilesize
204KB
-
memory/4316-96-0x000000007F750000-0x000000007F751000-memory.dmpFilesize
4KB
-
memory/4316-13-0x0000000000000000-mapping.dmp
-
memory/4316-22-0x0000000006810000-0x0000000006811000-memory.dmpFilesize
4KB
-
memory/4316-24-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/4316-120-0x0000000008960000-0x0000000008961000-memory.dmpFilesize
4KB
-
memory/4316-41-0x0000000006812000-0x0000000006813000-memory.dmpFilesize
4KB
-
memory/4316-144-0x0000000008EF0000-0x0000000008EF1000-memory.dmpFilesize
4KB
-
memory/4316-28-0x0000000006E50000-0x0000000006E51000-memory.dmpFilesize
4KB
-
memory/4700-53-0x0000000006440000-0x0000000006441000-memory.dmpFilesize
4KB
-
memory/4700-9-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/4700-10-0x0000000005E90000-0x0000000005EF4000-memory.dmpFilesize
400KB
-
memory/4700-2-0x0000000073430000-0x0000000073B1E000-memory.dmpFilesize
6.9MB
-
memory/4700-11-0x0000000005F70000-0x0000000005F71000-memory.dmpFilesize
4KB
-
memory/4700-8-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/4700-7-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/4700-6-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/4700-5-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/4700-3-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB