Analysis
-
max time kernel
113s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 11:09
General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe
-
Size
20KB
-
MD5
9d1c8d505aed4eb37bd5530a0b5b3b10
-
SHA1
8727180dafb631c287957dedbcc4f989fb0a5825
-
SHA256
1730e8fd738a26adbe3f0b31192adf6d4cc175f021b2d06e6278e36a43efef40
-
SHA512
0a1776064a7a82a53881036ed2b3ab9a30f0c842c826543202cbf6399cb10f6ca2544e95672e87ab59c84d5778544aa89dfaa802ab843aa57bf6bcbeb4f27bea
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
edubrazil4040@longjohn.icu - Password:
GODBLESS2021@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs
-
AgentTesla Payload 5 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 11 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 923⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.mm.26574.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 883⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4f3faebd13086b6193638bc88583e891
SHA157cce014dcfff061619326c56f136ea31d783518
SHA2561222cf22eb35f70a4db9623cf92f7e362094f51e3700cfa31023cd43ee96c72f
SHA512f3c27b209265b1dc488e45efc5eb7cf63f786cfc81f444a188951eb5c78da642461ce1f445a48be9f68b9b9a2f885d80b5c3cfb992064d4c0577e5bacb2e9a5e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4f3faebd13086b6193638bc88583e891
SHA157cce014dcfff061619326c56f136ea31d783518
SHA2561222cf22eb35f70a4db9623cf92f7e362094f51e3700cfa31023cd43ee96c72f
SHA512f3c27b209265b1dc488e45efc5eb7cf63f786cfc81f444a188951eb5c78da642461ce1f445a48be9f68b9b9a2f885d80b5c3cfb992064d4c0577e5bacb2e9a5e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
43870c1e684739b64f218ca232158291
SHA1e1a6a8191a0272e9f7d30a572c85a8205ec8e4ec
SHA25636d8758d148ad190075112fb4efd0571d69c8d496601ec6ea52ee6fac60b60b9
SHA5123cd22214d286dd3816fbc3a5e9b7ac510ef594638039fefb6391c8f156fabf6d4331194fc8b628a7fae28c3a41ab9e9e1d1c19c290f6ef2163018c3d063dc35b
-
memory/496-9-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/496-8-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/496-7-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/496-10-0x0000000005F00000-0x0000000005F64000-memory.dmpFilesize
400KB
-
memory/496-11-0x0000000006180000-0x0000000006181000-memory.dmpFilesize
4KB
-
memory/496-2-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/496-58-0x00000000065F0000-0x00000000065F1000-memory.dmpFilesize
4KB
-
memory/496-6-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/496-5-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/496-3-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/1104-15-0x0000000000000000-mapping.dmp
-
memory/1104-110-0x000000007F770000-0x000000007F771000-memory.dmpFilesize
4KB
-
memory/1104-136-0x00000000065F3000-0x00000000065F4000-memory.dmpFilesize
4KB
-
memory/1104-151-0x0000000008EA0000-0x0000000008EA1000-memory.dmpFilesize
4KB
-
memory/1104-143-0x0000000008EB0000-0x0000000008EB1000-memory.dmpFilesize
4KB
-
memory/1104-25-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/1104-30-0x00000000065F0000-0x00000000065F1000-memory.dmpFilesize
4KB
-
memory/1104-59-0x0000000007260000-0x0000000007261000-memory.dmpFilesize
4KB
-
memory/1104-34-0x00000000065F2000-0x00000000065F3000-memory.dmpFilesize
4KB
-
memory/1368-42-0x00000000004374DE-mapping.dmp
-
memory/1368-45-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2416-137-0x0000000006803000-0x0000000006804000-memory.dmpFilesize
4KB
-
memory/2416-94-0x000000007EB70000-0x000000007EB71000-memory.dmpFilesize
4KB
-
memory/2416-127-0x0000000008F30000-0x0000000008F31000-memory.dmpFilesize
4KB
-
memory/2416-77-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/2416-32-0x0000000006802000-0x0000000006803000-memory.dmpFilesize
4KB
-
memory/2416-93-0x0000000008BB0000-0x0000000008BE3000-memory.dmpFilesize
204KB
-
memory/2416-123-0x0000000008B90000-0x0000000008B91000-memory.dmpFilesize
4KB
-
memory/2416-138-0x00000000090E0000-0x00000000090E1000-memory.dmpFilesize
4KB
-
memory/2416-28-0x0000000006800000-0x0000000006801000-memory.dmpFilesize
4KB
-
memory/2416-17-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2416-13-0x0000000000000000-mapping.dmp
-
memory/2592-165-0x0000000004C61000-0x0000000004C62000-memory.dmpFilesize
4KB
-
memory/2592-41-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2592-39-0x00000000004374DE-mapping.dmp
-
memory/2592-89-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/2592-67-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/2592-38-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2692-49-0x00000000004374DE-mapping.dmp
-
memory/2692-52-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2720-37-0x00000000004374DE-mapping.dmp
-
memory/3056-21-0x0000000007AE0000-0x0000000007AE1000-memory.dmpFilesize
4KB
-
memory/3056-72-0x00000000081F0000-0x00000000081F1000-memory.dmpFilesize
4KB
-
memory/3056-16-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/3056-18-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/3056-31-0x00000000033E2000-0x00000000033E3000-memory.dmpFilesize
4KB
-
memory/3056-12-0x0000000000000000-mapping.dmp
-
memory/3056-103-0x000000007EE10000-0x000000007EE11000-memory.dmpFilesize
4KB
-
memory/3056-43-0x0000000007810000-0x0000000007811000-memory.dmpFilesize
4KB
-
memory/3056-81-0x0000000008A80000-0x0000000008A81000-memory.dmpFilesize
4KB
-
memory/3056-135-0x00000000033E3000-0x00000000033E4000-memory.dmpFilesize
4KB
-
memory/3056-24-0x00000000033E0000-0x00000000033E1000-memory.dmpFilesize
4KB
-
memory/3244-142-0x0000000006833000-0x0000000006834000-memory.dmpFilesize
4KB
-
memory/3244-26-0x0000000006832000-0x0000000006833000-memory.dmpFilesize
4KB
-
memory/3244-35-0x0000000006830000-0x0000000006831000-memory.dmpFilesize
4KB
-
memory/3244-19-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/3244-99-0x000000007ED00000-0x000000007ED01000-memory.dmpFilesize
4KB
-
memory/3244-14-0x0000000000000000-mapping.dmp
-
memory/3244-85-0x0000000007DD0000-0x0000000007DD1000-memory.dmpFilesize
4KB
-
memory/4108-56-0x00000000004374DE-mapping.dmp
-
memory/4132-74-0x0000000004380000-0x0000000004381000-memory.dmpFilesize
4KB
-
memory/4224-71-0x0000000004140000-0x0000000004141000-memory.dmpFilesize
4KB