Analysis
-
max time kernel
115s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 16:25
General
-
Target
effp.exe
-
Size
15KB
-
MD5
1983ead6d04607d63ca056ec796fb87f
-
SHA1
a437a10a281b78b7e7d87049a7864ed9fb2dc765
-
SHA256
74e35db0e018a83a1002237e7521e2cc0f2d03c6befa319d2b55c68f248f5bbd
-
SHA512
f4c195487428ed46830bf5047c87614d575adb871e8e8e32bb9eb9806be07b8076a78903288b5d7323e5930f5a4b7ef914bd25b0c5d7dc59dad7c445441e6c8b
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
nancy.chen@exxacitcorp.com - Password:
LifeDram2021
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs
-
AgentTesla Payload 5 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 11 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\effp.exe"C:\Users\Admin\AppData\Local\Temp\effp.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\effp.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\effp.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\effp.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\effp.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\effp.exe"C:\Users\Admin\AppData\Local\Temp\effp.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 963⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\effp.exe"C:\Users\Admin\AppData\Local\Temp\effp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\effp.exe"C:\Users\Admin\AppData\Local\Temp\effp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\effp.exe"C:\Users\Admin\AppData\Local\Temp\effp.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 883⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\effp.exe"C:\Users\Admin\AppData\Local\Temp\effp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2a507e0b06ef3f3c594c5b35985c501a
SHA1c4955eaf5cab92ca4d5c5e7c27d154bee0723799
SHA25648b3c8bd45ca1f45ea473368e70c420cda970a97104a0c4babaa5a94abc86d73
SHA512fafd29829167214e3aa287e514675a182ebe9922069443ff2723aa9c3c20b6bdae110e0b3efdfa273c265ce266f52e6b1e5f2765b4199d7635a082ae9ba13df8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2a507e0b06ef3f3c594c5b35985c501a
SHA1c4955eaf5cab92ca4d5c5e7c27d154bee0723799
SHA25648b3c8bd45ca1f45ea473368e70c420cda970a97104a0c4babaa5a94abc86d73
SHA512fafd29829167214e3aa287e514675a182ebe9922069443ff2723aa9c3c20b6bdae110e0b3efdfa273c265ce266f52e6b1e5f2765b4199d7635a082ae9ba13df8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
6e17301d627e1a5903708bfc213b1872
SHA1daad18b90153d014ae7a8fd0d5af3ae190150382
SHA25617ac897e40911110772a75533e646739fd7f6a6e261fd33d6e363a7c16c593e0
SHA51205110b09d27268acbdb98721eb5f9acba22861622fd161d56f2160ae182054f3851b9c78b04ff98e0c50e4e58a9ca976eff2c25b6ec175ca6b0c6646dd7b8220
-
memory/60-9-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/60-5-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/60-31-0x00000000067E0000-0x00000000067E1000-memory.dmpFilesize
4KB
-
memory/60-10-0x0000000006190000-0x00000000061FA000-memory.dmpFilesize
424KB
-
memory/60-11-0x0000000006270000-0x0000000006271000-memory.dmpFilesize
4KB
-
memory/60-2-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/60-8-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/60-3-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/60-7-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/60-6-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/196-13-0x0000000000000000-mapping.dmp
-
memory/196-19-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/196-119-0x000000007F300000-0x000000007F301000-memory.dmpFilesize
4KB
-
memory/196-87-0x0000000007F10000-0x0000000007F11000-memory.dmpFilesize
4KB
-
memory/196-24-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/196-157-0x0000000009090000-0x0000000009091000-memory.dmpFilesize
4KB
-
memory/196-71-0x0000000006E40000-0x0000000006E41000-memory.dmpFilesize
4KB
-
memory/196-142-0x0000000009160000-0x0000000009161000-memory.dmpFilesize
4KB
-
memory/196-79-0x00000000076D0000-0x00000000076D1000-memory.dmpFilesize
4KB
-
memory/196-145-0x0000000006883000-0x0000000006884000-memory.dmpFilesize
4KB
-
memory/196-37-0x0000000006882000-0x0000000006883000-memory.dmpFilesize
4KB
-
memory/944-35-0x00000000076D0000-0x00000000076D1000-memory.dmpFilesize
4KB
-
memory/944-141-0x0000000009E70000-0x0000000009E71000-memory.dmpFilesize
4KB
-
memory/944-14-0x0000000000000000-mapping.dmp
-
memory/944-133-0x000000007F810000-0x000000007F811000-memory.dmpFilesize
4KB
-
memory/944-18-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/944-132-0x0000000008D60000-0x0000000008D61000-memory.dmpFilesize
4KB
-
memory/944-26-0x0000000007D10000-0x0000000007D11000-memory.dmpFilesize
4KB
-
memory/944-25-0x00000000076D2000-0x00000000076D3000-memory.dmpFilesize
4KB
-
memory/944-147-0x00000000076D3000-0x00000000076D4000-memory.dmpFilesize
4KB
-
memory/2172-54-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2172-51-0x00000000004374CE-mapping.dmp
-
memory/2172-64-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/2172-91-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2172-171-0x0000000004EB1000-0x0000000004EB2000-memory.dmpFilesize
4KB
-
memory/2192-46-0x00000000004374CE-mapping.dmp
-
memory/2308-36-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2308-38-0x00000000004374CE-mapping.dmp
-
memory/2308-63-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/2308-42-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2612-128-0x000000007E800000-0x000000007E801000-memory.dmpFilesize
4KB
-
memory/2612-149-0x0000000009E50000-0x0000000009E51000-memory.dmpFilesize
4KB
-
memory/2612-12-0x0000000000000000-mapping.dmp
-
memory/2612-39-0x0000000005062000-0x0000000005063000-memory.dmpFilesize
4KB
-
memory/2612-93-0x0000000008B60000-0x0000000008B61000-memory.dmpFilesize
4KB
-
memory/2612-16-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2612-84-0x0000000008200000-0x0000000008201000-memory.dmpFilesize
4KB
-
memory/2612-33-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/2612-146-0x0000000005063000-0x0000000005064000-memory.dmpFilesize
4KB
-
memory/2812-65-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB
-
memory/2984-45-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2984-62-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/2984-43-0x00000000004374CE-mapping.dmp
-
memory/3808-34-0x00000000004374CE-mapping.dmp
-
memory/3824-30-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/3824-137-0x0000000009090000-0x0000000009091000-memory.dmpFilesize
4KB
-
memory/3824-40-0x0000000004582000-0x0000000004583000-memory.dmpFilesize
4KB
-
memory/3824-148-0x0000000004583000-0x0000000004584000-memory.dmpFilesize
4KB
-
memory/3824-123-0x000000007ECE0000-0x000000007ECE1000-memory.dmpFilesize
4KB
-
memory/3824-20-0x0000000004430000-0x0000000004431000-memory.dmpFilesize
4KB
-
memory/3824-17-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/3824-101-0x0000000008F60000-0x0000000008F93000-memory.dmpFilesize
204KB
-
memory/3824-15-0x0000000000000000-mapping.dmp
-
memory/3824-67-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/4012-66-0x00000000042C0000-0x00000000042C1000-memory.dmpFilesize
4KB