Overview

overview

10

Static

static

SecuriteIn...20.exe

windows7_x64

10

SecuriteIn...20.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe

  • Size

    15KB

  • MD5

    1983ead6d04607d63ca056ec796fb87f

  • SHA1

    a437a10a281b78b7e7d87049a7864ed9fb2dc765

  • SHA256

    74e35db0e018a83a1002237e7521e2cc0f2d03c6befa319d2b55c68f248f5bbd

  • SHA512

    f4c195487428ed46830bf5047c87614d575adb871e8e8e32bb9eb9806be07b8076a78903288b5d7323e5930f5a4b7ef914bd25b0c5d7dc59dad7c445441e6c8b

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    nancy.chen@exxacitcorp.com
  • Password:
    LifeDram2021

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 4 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:584
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe"
      2⤵
        PID:520
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe"
        2⤵
          PID:2744
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe"
          2⤵
            PID:3264
          • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe
            "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.22420.exe"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3944

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        5
        T1112

        Disabling Security Tools

        3
        T1089

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        Query Registry

        4
        T1012

        Virtualization/Sandbox Evasion

        2
        T1497

        System Information Discovery

        3
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          MD5

          1c19c16e21c97ed42d5beabc93391fc5

          SHA1

          8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

          SHA256

          1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

          SHA512

          7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          4f23dc4a215e434be37c934fdcf96e6b

          SHA1

          62a799d9590d96ae703a35717fad9c04d487c265

          SHA256

          75b456e4fbd4da3757d670c287529d954e6ba71c3486aa4963ce03c2543d7681

          SHA512

          368636f77bb57f2fdf011fa8d6f43965a812eebf725df81a87fb57c69b18b20f3e4b6c192697c046c818bb065774516dcca774c2d1f9bf0571ed404f81eb9ef8

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          e8806a753907fd0ed06f329d642babbd

          SHA1

          40da540aba46e455e19adc11643a3f542126e1fa

          SHA256

          131609d8006b047d9c24287aec414640633c1f197568fd42cd3e1976f9176baa

          SHA512

          2b1382fa6ac1cacef5e0462a1bf0b01dc05c9718195eb5e2323392b6079af5a041a9d82c1808b5fca3af1a137aef0caceeb7b1f06ee506fffc3703954f4adc74

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          25abdd12499d12b65d11355df32a7c5d

          SHA1

          2d27956cff125c8e109f3e23dec0c658ee3ef71d

          SHA256

          358fb25ff28961432a745f914f85f2a018d2e55ef70b2c066b7577445ddcdd37

          SHA512

          321d109078004924fd8c3109e148efdb145c0630e259ad32a14d374d19cc3a9d082313ac0e2330154d140b276439538c95e938fb034daabe8b625ec8b4054338

          Download Submit
        • memory/520-79-0x0000000001240000-0x0000000001241000-memory.dmp
          Filesize

          4KB

          Download
        • memory/520-43-0x0000000073940000-0x000000007402E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/520-40-0x00000000004374CE-mapping.dmp
          Download
        • memory/584-37-0x00000000004374CE-mapping.dmp
          Download
        • memory/584-74-0x0000000005220000-0x0000000005221000-memory.dmp
          Filesize

          4KB

          Download
        • memory/584-39-0x0000000073940000-0x000000007402E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/584-36-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/1948-101-0x000000007F160000-0x000000007F161000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1948-102-0x0000000009400000-0x0000000009433000-memory.dmp
          Filesize

          204KB

          Download
        • memory/1948-42-0x00000000075A0000-0x00000000075A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1948-14-0x0000000000000000-mapping.dmp
          Download
        • memory/1948-18-0x0000000073940000-0x000000007402E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1948-149-0x0000000004B63000-0x0000000004B64000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1948-93-0x00000000086C0000-0x00000000086C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1948-34-0x0000000004B62000-0x0000000004B63000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1948-85-0x00000000076D0000-0x00000000076D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1948-32-0x0000000004B60000-0x0000000004B61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1948-151-0x00000000098D0000-0x00000000098D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2064-19-0x0000000006ED0000-0x0000000006ED1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2064-30-0x00000000070B2000-0x00000000070B3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2064-28-0x00000000070B0000-0x00000000070B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2064-22-0x00000000076F0000-0x00000000076F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2064-148-0x00000000070B3000-0x00000000070B4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2064-89-0x0000000007D40000-0x0000000007D41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2064-13-0x0000000000000000-mapping.dmp
          Download
        • memory/2064-16-0x0000000073940000-0x000000007402E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2064-105-0x000000007E4C0000-0x000000007E4C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2160-29-0x0000000003890000-0x0000000003891000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2160-147-0x0000000003893000-0x0000000003894000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2160-143-0x0000000009C00000-0x0000000009C01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2160-116-0x000000007E820000-0x000000007E821000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2160-12-0x0000000000000000-mapping.dmp
          Download
        • memory/2160-31-0x0000000003892000-0x0000000003893000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2160-159-0x0000000009BA0000-0x0000000009BA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2160-17-0x0000000073940000-0x000000007402E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2744-48-0x00000000004374CE-mapping.dmp
          Download
        • memory/2744-50-0x0000000073940000-0x000000007402E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2772-112-0x000000007E520000-0x000000007E521000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2772-131-0x0000000008020000-0x0000000008021000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2772-21-0x0000000073940000-0x000000007402E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2772-33-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2772-75-0x00000000078F0000-0x00000000078F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2772-150-0x0000000000FC3000-0x0000000000FC4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2772-35-0x0000000000FC2000-0x0000000000FC3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2772-136-0x0000000008E60000-0x0000000008E61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2772-15-0x0000000000000000-mapping.dmp
          Download
        • memory/2772-51-0x0000000007630000-0x0000000007631000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3264-54-0x00000000004374CE-mapping.dmp
          Download
        • memory/3944-67-0x00000000004374CE-mapping.dmp
          Download
        • memory/3944-70-0x0000000073940000-0x000000007402E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3944-141-0x0000000005290000-0x0000000005291000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3944-173-0x00000000050D1000-0x00000000050D2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3944-84-0x00000000050D0000-0x00000000050D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4032-8-0x0000000005630000-0x0000000005631000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4032-9-0x0000000005640000-0x0000000005641000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4032-2-0x0000000073940000-0x000000007402E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/4032-41-0x0000000006A80000-0x0000000006A81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4032-11-0x0000000006850000-0x0000000006851000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4032-7-0x0000000005790000-0x0000000005791000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4032-6-0x0000000005650000-0x0000000005651000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4032-5-0x0000000005A90000-0x0000000005A91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4032-3-0x0000000000CF0000-0x0000000000CF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4032-10-0x0000000006770000-0x00000000067DA000-memory.dmp
          Filesize

          424KB

          Download