Overview

overview

10

Static

static

SecuriteIn...47.exe

windows7_x64

10

SecuriteIn...47.exe

windows10_x64

10

Analysis

  • max time kernel
    98s
  • max time network
    106s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe

  • Size

    36KB

  • MD5

    aaa69c3544561ed70b13847f6ec763e9

  • SHA1

    1e53ed306bd193cffa691f51f940e908ef18cf4b

  • SHA256

    cfa46220d1b96e515eedbb82a0285229467f377ede30f732f7f6c48caba3ae1e

  • SHA512

    b922f8bdbcc6ee25b635965a24ae87b8d129a8ac7cdd0458e5ddd1c5a62ede6f34b4a5c704fd6a08988f93ab4af424a95b18a563760d8dd584bb5eeba7062016

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    ashfaq.ali@nationalfuels.pw
  • Password:
    @Mexico1.,

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4224
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4236
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:436
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:928
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1388
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"
      2⤵
        PID:1916
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 88
          3⤵
          • Program crash
          PID:3544
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"
        2⤵
          PID:3668
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"
          2⤵
            PID:4392
          • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe
            "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"
            2⤵
              PID:2268
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 88
            1⤵
            • Program crash
            PID:3484

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Winlogon Helper DLL

          1
          T1004

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          5
          T1112

          Disabling Security Tools

          3
          T1089

          Virtualization/Sandbox Evasion

          2
          T1497

          Credential Access

          Credentials in Files

          3
          T1081

          Discovery

          Query Registry

          4
          T1012

          Virtualization/Sandbox Evasion

          2
          T1497

          System Information Discovery

          3
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Data from Local System

          3
          T1005

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            MD5

            1c19c16e21c97ed42d5beabc93391fc5

            SHA1

            8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

            SHA256

            1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

            SHA512

            7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            8a426f06b7043f7d241c8d7d3e3ad3e6

            SHA1

            4538145eb55e18b94dc125a3339619121d498361

            SHA256

            1f4c40840229a75baf42d6d440cbc1659f8f6e20a4911163cff17b1135e0db73

            SHA512

            2b3afe6bae9394419f2dce0efb11acd159af2541580511423b8f9d8bdc97ba4a99e03106909c33756472c73c1abd68909362abe4d2096b2bdf79dc8a8da02d30

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            2fce1987d7291a645a63ff3f44ebd06b

            SHA1

            d1a5620dbdd49d2a5fcd40f5ae6be24787820564

            SHA256

            ffe352df05bb8a3ae86ca9b375ae35dc255e645ca7589fa0a5f22fd4ab0c8455

            SHA512

            2c0f262e515aad0e990d401fc93263af4c8c5a5b4a250efc43d7de6213d9fcd34e4c0be681675baa4273ce4d415239dc73044fe1e6c86816d8ed16d984dcd6f6

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            d189141fa0523d10a61f1cf7de702256

            SHA1

            f182eba95831b49d8eebcb3b3980d548c66784af

            SHA256

            edb20218b4ad3789aff5249ab7a4c302b1c5d61eb52ac02b78b46a6cb66c65d2

            SHA512

            7e4ea68075a441d39c75d843d90f8c9c2a03e5bfaa4304e82a231d4ff4d3c672d5452ce3ea35526e8962314a6d2e092a9e6967d41f9bf0f4883d2b320e5f58b3

            Download Submit
          • memory/436-14-0x0000000000000000-mapping.dmp
            Download
          • memory/436-51-0x0000000001072000-0x0000000001073000-memory.dmp
            Filesize

            4KB

            Download
          • memory/436-44-0x0000000001070000-0x0000000001071000-memory.dmp
            Filesize

            4KB

            Download
          • memory/436-22-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/436-134-0x0000000001073000-0x0000000001074000-memory.dmp
            Filesize

            4KB

            Download
          • memory/436-112-0x000000007EDB0000-0x000000007EDB1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-131-0x00000000071D3000-0x00000000071D4000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-77-0x0000000008730000-0x0000000008731000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-17-0x0000000000000000-mapping.dmp
            Download
          • memory/928-125-0x0000000009900000-0x0000000009901000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-119-0x00000000096C0000-0x00000000096C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-69-0x00000000082D0000-0x00000000082D1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-114-0x00000000071A0000-0x00000000071A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-135-0x0000000009860000-0x0000000009861000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-23-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/928-73-0x00000000086E0000-0x00000000086E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-49-0x00000000071D0000-0x00000000071D1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-52-0x00000000071D2000-0x00000000071D3000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-100-0x000000007E890000-0x000000007E891000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-143-0x0000000009840000-0x0000000009841000-memory.dmp
            Filesize

            4KB

            Download
          • memory/928-83-0x0000000009590000-0x00000000095C3000-memory.dmp
            Filesize

            204KB

            Download
          • memory/1388-157-0x0000000005131000-0x0000000005132000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1388-29-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1388-129-0x0000000005440000-0x0000000005441000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1388-27-0x000000000043748E-mapping.dmp
            Download
          • memory/1388-48-0x0000000005130000-0x0000000005131000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1388-25-0x0000000000400000-0x000000000043C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/1916-33-0x000000000043748E-mapping.dmp
            Download
          • memory/2268-40-0x000000000043748E-mapping.dmp
            Download
          • memory/3484-57-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3544-56-0x0000000004570000-0x0000000004571000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3668-47-0x000000000043748E-mapping.dmp
            Download
          • memory/4224-109-0x000000007F1A0000-0x000000007F1A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4224-133-0x0000000000F33000-0x0000000000F34000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4224-15-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/4224-32-0x0000000000F30000-0x0000000000F31000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4224-43-0x0000000006AD0000-0x0000000006AD1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4224-61-0x0000000007500000-0x0000000007501000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4224-53-0x0000000006C50000-0x0000000006C51000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4224-39-0x0000000000F32000-0x0000000000F33000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4224-18-0x0000000000C40000-0x0000000000C41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4224-12-0x0000000000000000-mapping.dmp
            Download
          • memory/4236-105-0x000000007E100000-0x000000007E101000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4236-20-0x0000000007530000-0x0000000007531000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4236-34-0x0000000006EF0000-0x0000000006EF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4236-16-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/4236-36-0x0000000006EF2000-0x0000000006EF3000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4236-13-0x0000000000000000-mapping.dmp
            Download
          • memory/4236-132-0x0000000006EF3000-0x0000000006EF4000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-42-0x0000000006890000-0x0000000006891000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-2-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/4768-11-0x00000000068E0000-0x00000000068E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-10-0x0000000006800000-0x0000000006864000-memory.dmp
            Filesize

            400KB

            Download
          • memory/4768-9-0x00000000064A0000-0x00000000064A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-8-0x00000000064F0000-0x00000000064F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-7-0x0000000005780000-0x0000000005781000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-6-0x00000000055B0000-0x00000000055B1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-5-0x0000000005A10000-0x0000000005A11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4768-3-0x0000000000D50000-0x0000000000D51000-memory.dmp
            Filesize

            4KB

            Download