Overview

overview

10

Static

static

SecuriteIn...82.exe

windows7_x64

10

SecuriteIn...82.exe

windows10_x64

10

Analysis

  • max time kernel
    98s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe

  • Size

    34KB

  • MD5

    5bb718a52c52383cea5361519559b683

  • SHA1

    54298a1c380568d1d76b103fa267ded82d6a778a

  • SHA256

    43ae34f089374f6293998924525d9e8516c59bf2cd8150a7c01d6c565c85aa10

  • SHA512

    36ad2bbb7315f4290844cb433c081265815b69553c2fd025615e989bbf3214f16d0686e100f701db7c827d9c43f0d21f41da9b3d5648ec423b14b35ecc7d9781

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    assist@adipico.com
  • Password:
    @Mexico1.,

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4172
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4156
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:516
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4384
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
      2⤵
        PID:4456
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
        2⤵
          PID:1064
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"
          2⤵
            PID:1332

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        5
        T1112

        Disabling Security Tools

        3
        T1089

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        Query Registry

        4
        T1012

        Virtualization/Sandbox Evasion

        2
        T1497

        System Information Discovery

        3
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          MD5

          1c19c16e21c97ed42d5beabc93391fc5

          SHA1

          8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

          SHA256

          1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

          SHA512

          7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          032c3b276c5ca170156caae84bfb63d2

          SHA1

          4a35292b722472da9ee67e5541fbc3b96a8c1fce

          SHA256

          2fc625bb26ae4abe846305e907aacf7da0aae359fff9623485104202439c4277

          SHA512

          898d64f8b8cff918f83a3fb6d1e5c1aad65e56f1223682de0a1600da7336a452bb30d8c6dec2c7e93abbbebfcf4fcac166ae6b75c0f403babb816a63b3d5cf22

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          032c3b276c5ca170156caae84bfb63d2

          SHA1

          4a35292b722472da9ee67e5541fbc3b96a8c1fce

          SHA256

          2fc625bb26ae4abe846305e907aacf7da0aae359fff9623485104202439c4277

          SHA512

          898d64f8b8cff918f83a3fb6d1e5c1aad65e56f1223682de0a1600da7336a452bb30d8c6dec2c7e93abbbebfcf4fcac166ae6b75c0f403babb816a63b3d5cf22

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          032c3b276c5ca170156caae84bfb63d2

          SHA1

          4a35292b722472da9ee67e5541fbc3b96a8c1fce

          SHA256

          2fc625bb26ae4abe846305e907aacf7da0aae359fff9623485104202439c4277

          SHA512

          898d64f8b8cff918f83a3fb6d1e5c1aad65e56f1223682de0a1600da7336a452bb30d8c6dec2c7e93abbbebfcf4fcac166ae6b75c0f403babb816a63b3d5cf22

          Download Submit
        • memory/516-116-0x0000000004F53000-0x0000000004F54000-memory.dmp
          Filesize

          4KB

          Download
        • memory/516-44-0x0000000004F50000-0x0000000004F51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/516-16-0x0000000000000000-mapping.dmp
          Download
        • memory/516-52-0x0000000004F52000-0x0000000004F53000-memory.dmp
          Filesize

          4KB

          Download
        • memory/516-111-0x000000007F210000-0x000000007F211000-memory.dmp
          Filesize

          4KB

          Download
        • memory/516-22-0x0000000073CE0000-0x00000000743CE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1064-53-0x0000000073CE0000-0x00000000743CE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1064-50-0x000000000043748E-mapping.dmp
          Download
        • memory/1332-60-0x000000000043748E-mapping.dmp
          Download
        • memory/3180-78-0x0000000009680000-0x00000000096B3000-memory.dmp
          Filesize

          204KB

          Download
        • memory/3180-112-0x0000000009A00000-0x0000000009A01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-38-0x0000000007050000-0x0000000007051000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-126-0x00000000087F0000-0x00000000087F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-20-0x0000000073CE0000-0x00000000743CE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3180-109-0x0000000007053000-0x0000000007054000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-100-0x00000000097D0000-0x00000000097D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-96-0x0000000009660000-0x0000000009661000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-41-0x0000000007052000-0x0000000007053000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-104-0x000000007F030000-0x000000007F031000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-14-0x0000000000000000-mapping.dmp
          Download
        • memory/4156-33-0x00000000073D0000-0x00000000073D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4156-13-0x0000000000000000-mapping.dmp
          Download
        • memory/4156-114-0x00000000073D3000-0x00000000073D4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4156-17-0x0000000073CE0000-0x00000000743CE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/4156-107-0x000000007F960000-0x000000007F961000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4156-36-0x00000000073D2000-0x00000000073D3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-18-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-19-0x0000000007A20000-0x0000000007A21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-113-0x00000000073E3000-0x00000000073E4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-27-0x00000000077F0000-0x00000000077F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-120-0x0000000009B60000-0x0000000009B61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-110-0x000000007E930000-0x000000007E931000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-15-0x0000000073CE0000-0x00000000743CE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/4172-30-0x0000000007990000-0x0000000007991000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-12-0x0000000000000000-mapping.dmp
          Download
        • memory/4172-39-0x00000000081C0000-0x00000000081C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-68-0x0000000008130000-0x0000000008131000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-69-0x00000000086F0000-0x00000000086F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-74-0x0000000008AB0000-0x0000000008AB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-31-0x00000000073E2000-0x00000000073E3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-28-0x00000000073E0000-0x00000000073E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4384-26-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/4384-32-0x0000000073CE0000-0x00000000743CE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/4384-118-0x00000000053E0000-0x00000000053E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4384-54-0x0000000005380000-0x0000000005381000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4384-29-0x000000000043748E-mapping.dmp
          Download
        • memory/4384-138-0x0000000005381000-0x0000000005382000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4456-35-0x0000000000400000-0x0000000000401000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4456-40-0x000000000043748E-mapping.dmp
          Download
        • memory/4704-11-0x0000000005C40000-0x0000000005C41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4704-10-0x0000000005B60000-0x0000000005BC4000-memory.dmp
          Filesize

          400KB

          Download
        • memory/4704-9-0x0000000002610000-0x0000000002611000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4704-2-0x0000000073CE0000-0x00000000743CE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/4704-48-0x0000000005E70000-0x0000000005E71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4704-8-0x0000000002600000-0x0000000002601000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4704-7-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4704-6-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4704-5-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4704-3-0x0000000000240000-0x0000000000241000-memory.dmp
          Filesize

          4KB

          Download