Analysis
-
max time kernel
121s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 16:25
General
-
Target
musikk.exe
-
Size
32KB
-
MD5
edeae783c7249315102d03a637fd3257
-
SHA1
22044ad362803278ec491b260e6d34a6342f17f4
-
SHA256
74957e6668e2336b8892c3943890462ee2f7e7782d25b574e8184a3862a1b396
-
SHA512
88f3eee886d178455e516326ffaa7ed6f32d234583be4b10738ae7c0097fe1f503e6c9c5f95107f80ec82bfb236f36372c6d5a7c837c0415240c4ffcc329f202
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
sales1@razorwirefecning.com - Password:
Blessings@12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs
-
AgentTesla Payload 6 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 11 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\musikk.exe"C:\Users\Admin\AppData\Local\Temp\musikk.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\musikk.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\musikk.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\musikk.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\musikk.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\musikk.exe"C:\Users\Admin\AppData\Local\Temp\musikk.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 923⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\musikk.exe"C:\Users\Admin\AppData\Local\Temp\musikk.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\musikk.exe"C:\Users\Admin\AppData\Local\Temp\musikk.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\musikk.exe"C:\Users\Admin\AppData\Local\Temp\musikk.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\musikk.exe"C:\Users\Admin\AppData\Local\Temp\musikk.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ac77f1bb1266acf7c5c0722c4924166d
SHA164d512053a986c9d4ee9487bd12d4bbe7c2adbcb
SHA25691156ce12e76402d57c7a45486658f18aa2b3d42af83c6e80e9f1d2f9622c691
SHA512e47af954ab06c2ea77f1ce5627266f8e78f8963a8b2ce58defaced05fb9a14395bcfc09cecb0c7297426282f6332bf9a77d60c721095c3a62970b7ae95102ab1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ac77f1bb1266acf7c5c0722c4924166d
SHA164d512053a986c9d4ee9487bd12d4bbe7c2adbcb
SHA25691156ce12e76402d57c7a45486658f18aa2b3d42af83c6e80e9f1d2f9622c691
SHA512e47af954ab06c2ea77f1ce5627266f8e78f8963a8b2ce58defaced05fb9a14395bcfc09cecb0c7297426282f6332bf9a77d60c721095c3a62970b7ae95102ab1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8fb30ac551560874104f6ac559413eba
SHA1d715afac2409b9f4274cb7f34ba1b5a5f03c70b4
SHA2561901f2311b168a2fdf55fc0bc365eda5f54815f07dc3b7773a36bf6b334ea13d
SHA512905e71c1271c2f42940da4ea47b2deb7798a7aaab7753374ea4e2a9bf08ec7634b79c975e0d150cd76fbeb545b0235be4082640a74830338d3edfa199d4dd5a2
-
memory/8-63-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/616-9-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/616-59-0x0000000006AD0000-0x0000000006AD1000-memory.dmpFilesize
4KB
-
memory/616-2-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/616-11-0x00000000066A0000-0x00000000066A1000-memory.dmpFilesize
4KB
-
memory/616-8-0x0000000006330000-0x0000000006331000-memory.dmpFilesize
4KB
-
memory/616-10-0x00000000062A0000-0x0000000006304000-memory.dmpFilesize
400KB
-
memory/616-3-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/616-7-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/616-5-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/616-6-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/968-24-0x0000000007B40000-0x0000000007B41000-memory.dmpFilesize
4KB
-
memory/968-16-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/968-141-0x0000000007503000-0x0000000007504000-memory.dmpFilesize
4KB
-
memory/968-13-0x0000000000000000-mapping.dmp
-
memory/968-28-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/968-136-0x0000000009DA0000-0x0000000009DA1000-memory.dmpFilesize
4KB
-
memory/968-126-0x000000007F590000-0x000000007F591000-memory.dmpFilesize
4KB
-
memory/968-32-0x0000000007502000-0x0000000007503000-memory.dmpFilesize
4KB
-
memory/1968-34-0x0000000006A82000-0x0000000006A83000-memory.dmpFilesize
4KB
-
memory/1968-78-0x0000000007720000-0x0000000007721000-memory.dmpFilesize
4KB
-
memory/1968-20-0x0000000004490000-0x0000000004491000-memory.dmpFilesize
4KB
-
memory/1968-29-0x0000000006A80000-0x0000000006A81000-memory.dmpFilesize
4KB
-
memory/1968-129-0x000000007F1D0000-0x000000007F1D1000-memory.dmpFilesize
4KB
-
memory/1968-66-0x00000000077B0000-0x00000000077B1000-memory.dmpFilesize
4KB
-
memory/1968-12-0x0000000000000000-mapping.dmp
-
memory/1968-143-0x0000000006A83000-0x0000000006A84000-memory.dmpFilesize
4KB
-
memory/1968-18-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/2324-37-0x000000000043749E-mapping.dmp
-
memory/2456-15-0x0000000000000000-mapping.dmp
-
memory/2456-19-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/2456-116-0x000000007EB50000-0x000000007EB51000-memory.dmpFilesize
4KB
-
memory/2456-35-0x00000000064B2000-0x00000000064B3000-memory.dmpFilesize
4KB
-
memory/2456-82-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/2456-142-0x00000000064B3000-0x00000000064B4000-memory.dmpFilesize
4KB
-
memory/2456-61-0x0000000007230000-0x0000000007231000-memory.dmpFilesize
4KB
-
memory/2456-144-0x0000000008DC0000-0x0000000008DC1000-memory.dmpFilesize
4KB
-
memory/2456-152-0x00000000088F0000-0x00000000088F1000-memory.dmpFilesize
4KB
-
memory/2456-30-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/2596-46-0x000000000043749E-mapping.dmp
-
memory/2596-48-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/2804-51-0x000000000043749E-mapping.dmp
-
memory/2804-53-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/3168-42-0x000000000043749E-mapping.dmp
-
memory/3168-44-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/3352-14-0x0000000000000000-mapping.dmp
-
memory/3352-121-0x000000007EBC0000-0x000000007EBC1000-memory.dmpFilesize
4KB
-
memory/3352-33-0x00000000044A2000-0x00000000044A3000-memory.dmpFilesize
4KB
-
memory/3352-130-0x0000000009030000-0x0000000009031000-memory.dmpFilesize
4KB
-
memory/3352-86-0x0000000007F50000-0x0000000007F51000-memory.dmpFilesize
4KB
-
memory/3352-74-0x0000000007800000-0x0000000007801000-memory.dmpFilesize
4KB
-
memory/3352-140-0x00000000044A3000-0x00000000044A4000-memory.dmpFilesize
4KB
-
memory/3352-97-0x0000000008F00000-0x0000000008F33000-memory.dmpFilesize
204KB
-
memory/3352-124-0x0000000008070000-0x0000000008071000-memory.dmpFilesize
4KB
-
memory/3352-17-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/3352-145-0x0000000009100000-0x0000000009101000-memory.dmpFilesize
4KB
-
memory/3352-31-0x00000000044A0000-0x00000000044A1000-memory.dmpFilesize
4KB
-
memory/4056-60-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/4056-38-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4056-39-0x000000000043749E-mapping.dmp
-
memory/4056-40-0x0000000073160000-0x000000007384E000-memory.dmpFilesize
6.9MB
-
memory/4056-90-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/4056-166-0x00000000052F1000-0x00000000052F2000-memory.dmpFilesize
4KB