Overview

overview

10

Static

static

SecuriteIn...87.exe

windows7_x64

10

SecuriteIn...87.exe

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    102s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe

  • Size

    32KB

  • MD5

    edeae783c7249315102d03a637fd3257

  • SHA1

    22044ad362803278ec491b260e6d34a6342f17f4

  • SHA256

    74957e6668e2336b8892c3943890462ee2f7e7782d25b574e8184a3862a1b396

  • SHA512

    88f3eee886d178455e516326ffaa7ed6f32d234583be4b10738ae7c0097fe1f503e6c9c5f95107f80ec82bfb236f36372c6d5a7c837c0415240c4ffcc329f202

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    sales1@razorwirefecning.com
  • Password:
    Blessings@12345

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 4 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:8
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1596
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4324
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"
      2⤵
        PID:1996
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"
        2⤵
          PID:4428
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"
          2⤵
            PID:4536

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        5
        T1112

        Disabling Security Tools

        3
        T1089

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        Query Registry

        4
        T1012

        Virtualization/Sandbox Evasion

        2
        T1497

        System Information Discovery

        3
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          MD5

          db01a2c1c7e70b2b038edf8ad5ad9826

          SHA1

          540217c647a73bad8d8a79e3a0f3998b5abd199b

          SHA256

          413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

          SHA512

          c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          ba67620244c0106c1df4b3dc829180f5

          SHA1

          1586076fb0d76ad6be6acbd979e64b1167909a66

          SHA256

          70b7430ef95d7c44ad32a55913b7d2ae4eda7e98213c66caf4f029b14fd3fcc9

          SHA512

          441b088bfcab57a98cb7817f384eb2e2710d563ab53543fc6b2c46d9fb3e6083fa4885da476e70bc51eaa86d96aea63d0d0fa2d1ebc608b2fb518f01cae8c879

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          62c470720e6234e7bdf10f95a192b06d

          SHA1

          a43f37920c6cb1a90a0667917df0b99fdaf3383c

          SHA256

          281257d5e004a9d1fca790e70c4ae2082ac27858ac5369ba71e49ae2621b9b31

          SHA512

          9113cbeef8bfb1555634a1e717596b67d68d60e74259e966e979deaebb021a95822a0fdfa0d444f60c3a68c9fd1e3c1640f7eceeb44b24d8a6ee2b23a1980013

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          21612655e1519167c97ee3e010ff46ad

          SHA1

          fe9bda84d7160c891fc37923f858a4922b6f4f54

          SHA256

          96462492ef0e3adccb06d9e87bdb609408f7ecc7442e25f1bf5f6a7c5735e7a7

          SHA512

          41cafc69aa5efbd69ce56c9b3eea7796860fef623e2f667d64e875db121fd034bc27543d79ffbd2cf8278110277300fb42761fbc3d4fad35dbde163cc11f541f

          Download Submit
        • memory/8-120-0x000000007F1F0000-0x000000007F1F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/8-30-0x0000000007F90000-0x0000000007F91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/8-126-0x0000000004F43000-0x0000000004F44000-memory.dmp
          Filesize

          4KB

          Download
        • memory/8-116-0x0000000009910000-0x0000000009911000-memory.dmp
          Filesize

          4KB

          Download
        • memory/8-112-0x00000000097A0000-0x00000000097A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/8-84-0x00000000097C0000-0x00000000097F3000-memory.dmp
          Filesize

          204KB

          Download
        • memory/8-13-0x0000000000000000-mapping.dmp
          Download
        • memory/8-48-0x0000000004F42000-0x0000000004F43000-memory.dmp
          Filesize

          4KB

          Download
        • memory/8-39-0x0000000008220000-0x0000000008221000-memory.dmp
          Filesize

          4KB

          Download
        • memory/8-17-0x00000000739D0000-0x00000000740BE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/8-40-0x0000000004F40000-0x0000000004F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/8-49-0x00000000082C0000-0x00000000082C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/844-124-0x000000007E870000-0x000000007E871000-memory.dmp
          Filesize

          4KB

          Download
        • memory/844-16-0x00000000739D0000-0x00000000740BE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/844-70-0x0000000008070000-0x0000000008071000-memory.dmp
          Filesize

          4KB

          Download
        • memory/844-18-0x00000000070D0000-0x00000000070D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/844-127-0x0000000007213000-0x0000000007214000-memory.dmp
          Filesize

          4KB

          Download
        • memory/844-20-0x0000000007850000-0x0000000007851000-memory.dmp
          Filesize

          4KB

          Download
        • memory/844-74-0x0000000008AA0000-0x0000000008AA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/844-12-0x0000000000000000-mapping.dmp
          Download
        • memory/844-45-0x0000000007212000-0x0000000007213000-memory.dmp
          Filesize

          4KB

          Download
        • memory/844-36-0x0000000007210000-0x0000000007211000-memory.dmp
          Filesize

          4KB

          Download
        • memory/844-78-0x0000000008890000-0x0000000008891000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1164-22-0x00000000739D0000-0x00000000740BE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1164-52-0x00000000042A0000-0x00000000042A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1164-133-0x000000007E840000-0x000000007E841000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1164-130-0x00000000042A3000-0x00000000042A4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1164-61-0x00000000042A2000-0x00000000042A3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1164-14-0x0000000000000000-mapping.dmp
          Download
        • memory/1596-125-0x0000000004E53000-0x0000000004E54000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1596-123-0x000000007F860000-0x000000007F861000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1596-144-0x0000000008840000-0x0000000008841000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1596-60-0x0000000004E50000-0x0000000004E51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1596-62-0x0000000004E52000-0x0000000004E53000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1596-15-0x0000000000000000-mapping.dmp
          Download
        • memory/1596-136-0x00000000099F0000-0x00000000099F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1596-23-0x00000000739D0000-0x00000000740BE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1596-128-0x0000000009A90000-0x0000000009A91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1996-35-0x00000000739D0000-0x00000000740BE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1996-33-0x000000000043749E-mapping.dmp
          Download
        • memory/4324-134-0x00000000057F0000-0x00000000057F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4324-31-0x00000000739D0000-0x00000000740BE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/4324-158-0x00000000054B1000-0x00000000054B2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4324-57-0x00000000054B0000-0x00000000054B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4324-29-0x000000000043749E-mapping.dmp
          Download
        • memory/4324-28-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/4428-41-0x000000000043749E-mapping.dmp
          Download
        • memory/4428-46-0x00000000739D0000-0x00000000740BE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/4536-54-0x000000000043749E-mapping.dmp
          Download
        • memory/4804-9-0x0000000005770000-0x0000000005771000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4804-8-0x00000000057F0000-0x00000000057F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4804-11-0x0000000005B90000-0x0000000005B91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4804-65-0x0000000006000000-0x0000000006001000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4804-2-0x00000000739D0000-0x00000000740BE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/4804-7-0x0000000002330000-0x0000000002331000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4804-6-0x0000000004870000-0x0000000004871000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4804-5-0x0000000004C90000-0x0000000004C91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4804-3-0x0000000000020000-0x0000000000021000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4804-10-0x0000000005AB0000-0x0000000005B14000-memory.dmp
          Filesize

          400KB

          Download