Overview

overview

10

Static

static

SecuriteIn...82.exe

windows7_x64

10

SecuriteIn...82.exe

windows10_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    20-01-2021 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe

  • Size

    34KB

  • MD5

    5bb718a52c52383cea5361519559b683

  • SHA1

    54298a1c380568d1d76b103fa267ded82d6a778a

  • SHA256

    43ae34f089374f6293998924525d9e8516c59bf2cd8150a7c01d6c565c85aa10

  • SHA512

    36ad2bbb7315f4290844cb433c081265815b69553c2fd025615e989bbf3214f16d0686e100f701db7c827d9c43f0d21f41da9b3d5648ec423b14b35ecc7d9781

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    assist@adipico.com
  • Password:
    @Mexico1.,

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 7 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 9 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1632
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
      2⤵
        PID:1180
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1316
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
        2⤵
          PID:1628
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1976
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
          2⤵
            PID:1008

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        5
        T1112

        Disabling Security Tools

        3
        T1089

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        Query Registry

        4
        T1012

        Virtualization/Sandbox Evasion

        2
        T1497

        System Information Discovery

        3
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          MD5

          911154a99ced7fe3d85b84fc4fbbce9c

          SHA1

          3eabca2918ba95849db5e72c40aea653f165b0ac

          SHA256

          432ea7ea8506594416ef53e6eff4c5b1cd49d126cf02cfa86fe47a43a94d5eb8

          SHA512

          b83983381ac909ffcadf0127b9ddb0f4411af27015fbcf75ec3e697cb218a47905fbee29fd86851910d6fa453a527b4e93faa8aac51b4a96a0ebf840ca6bed3e

          Download Submit
        • memory/268-12-0x0000000000000000-mapping.dmp
          Download
        • memory/268-72-0x000000007EF30000-0x000000007EF31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/268-53-0x0000000004A70000-0x0000000004A71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/268-54-0x0000000004A72000-0x0000000004A73000-memory.dmp
          Filesize

          4KB

          Download
        • memory/268-17-0x0000000074090000-0x000000007477E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/800-16-0x0000000074090000-0x000000007477E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/800-20-0x0000000000D30000-0x0000000000D31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/800-49-0x0000000000DA2000-0x0000000000DA3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/800-8-0x0000000000000000-mapping.dmp
          Download
        • memory/800-47-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/800-21-0x00000000048D0000-0x00000000048D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1008-48-0x000000000043748E-mapping.dmp
          Download
        • memory/1064-57-0x00000000023D2000-0x00000000023D3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1064-67-0x0000000005340000-0x0000000005341000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1064-59-0x0000000005270000-0x0000000005271000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1064-18-0x0000000074090000-0x000000007477E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1064-56-0x00000000023D0000-0x00000000023D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1064-9-0x0000000000000000-mapping.dmp
          Download
        • memory/1100-2-0x0000000074090000-0x000000007477E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1100-5-0x0000000004C90000-0x0000000004C91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1100-58-0x0000000000780000-0x0000000000781000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1100-6-0x0000000004210000-0x0000000004274000-memory.dmp
          Filesize

          400KB

          Download
        • memory/1100-3-0x0000000000330000-0x0000000000331000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1180-31-0x0000000074090000-0x000000007477E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1180-66-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1180-34-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/1180-29-0x000000000043748E-mapping.dmp
          Download
        • memory/1180-28-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/1316-63-0x0000000001F90000-0x0000000001F91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1316-33-0x0000000074090000-0x000000007477E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1316-32-0x000000000043748E-mapping.dmp
          Download
        • memory/1628-39-0x0000000074090000-0x000000007477E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1628-37-0x000000000043748E-mapping.dmp
          Download
        • memory/1628-65-0x0000000002010000-0x0000000002011000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1632-50-0x0000000004900000-0x0000000004901000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1632-10-0x00000000765E1000-0x00000000765E3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1632-55-0x0000000004902000-0x0000000004903000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1632-19-0x0000000074090000-0x000000007477E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1632-7-0x0000000000000000-mapping.dmp
          Download
        • memory/1976-43-0x0000000074090000-0x000000007477E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1976-64-0x00000000047A0000-0x00000000047A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1976-42-0x000000000043748E-mapping.dmp
          Download
        • memory/1976-73-0x00000000047A1000-0x00000000047A2000-memory.dmp
          Filesize

          4KB

          Download