Analysis
-
max time kernel
99s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 11:09
General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe
-
Size
16KB
-
MD5
f27fb91f116c7506a124cefb4d0cd0cc
-
SHA1
ee7b6fc2072b885e349a02c135e5bea156153d42
-
SHA256
8948b3f93b1fe502e9b838271ac7e46f15e5a79ea0706a7834cedcbd0c10b7d9
-
SHA512
c2f3ce25fbd645db4b5945326f68b29b0d876aeca2edf95723de606de1e8e3dd0d0d5281fff3bb9d2763fc80c70daf1b6b13c4a87381afbf49d48ae7a1f33dc8
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
mrst@mrst-kr.icu - Password:
@Mexico1.,
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs
-
AgentTesla Payload 5 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 11 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.lm.20016.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ddfec72c3e8df23634770f454ca26f5b
SHA1fa5028c8c4746cf2467030dfb17eb0b5d04730e0
SHA2561b8cb0c332e6437df40aba1fd5468fe76776d4da96d4cf11622b514dff92527e
SHA512f458a6d60793da4efc9ccfe9c1b12e09948a40625ba663b1f9fbb8c7cee264b1cf2465d8387e9277940404ec82cac397f07b2fa3239b7ca3e50b226734a106ff
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ddfec72c3e8df23634770f454ca26f5b
SHA1fa5028c8c4746cf2467030dfb17eb0b5d04730e0
SHA2561b8cb0c332e6437df40aba1fd5468fe76776d4da96d4cf11622b514dff92527e
SHA512f458a6d60793da4efc9ccfe9c1b12e09948a40625ba663b1f9fbb8c7cee264b1cf2465d8387e9277940404ec82cac397f07b2fa3239b7ca3e50b226734a106ff
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
97c5c1508886a8dbe63478a824c5bb7a
SHA1bf638e5f10bc8fc1a6f5062f3ddc9f8487384577
SHA2563cd27af6eababc054bfca3df1bc99cc5bee208dd77cbda515bb2c165f849472c
SHA5128268b728e91b3f102bf85a98329dd0669e7cbfec218b6b9fee41ef7ec75821453e7c94faa993542bb266b4b56ff92153ba401b12bdb78f10e6d15397d6e61599
-
memory/652-13-0x0000000000000000-mapping.dmp
-
memory/652-114-0x000000007EC60000-0x000000007EC61000-memory.dmpFilesize
4KB
-
memory/652-27-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/652-52-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/652-138-0x0000000004CB3000-0x0000000004CB4000-memory.dmpFilesize
4KB
-
memory/652-60-0x0000000004CB2000-0x0000000004CB3000-memory.dmpFilesize
4KB
-
memory/652-132-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/1776-31-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1776-162-0x00000000051C1000-0x00000000051C2000-memory.dmpFilesize
4KB
-
memory/1776-34-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/1776-160-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/1776-56-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/1776-103-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/1776-161-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/1776-32-0x000000000043748E-mapping.dmp
-
memory/1784-39-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/1784-59-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/1784-37-0x000000000043748E-mapping.dmp
-
memory/2808-122-0x0000000008BA0000-0x0000000008BA1000-memory.dmpFilesize
4KB
-
memory/2808-77-0x0000000007D10000-0x0000000007D11000-memory.dmpFilesize
4KB
-
memory/2808-24-0x00000000064D0000-0x00000000064D1000-memory.dmpFilesize
4KB
-
memory/2808-124-0x000000007ECA0000-0x000000007ECA1000-memory.dmpFilesize
4KB
-
memory/2808-18-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/2808-116-0x0000000008A30000-0x0000000008A31000-memory.dmpFilesize
4KB
-
memory/2808-136-0x00000000064D3000-0x00000000064D4000-memory.dmpFilesize
4KB
-
memory/2808-12-0x0000000000000000-mapping.dmp
-
memory/2808-45-0x00000000064D2000-0x00000000064D3000-memory.dmpFilesize
4KB
-
memory/4048-44-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/4048-42-0x000000000043748E-mapping.dmp
-
memory/4064-14-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/4064-139-0x0000000006593000-0x0000000006594000-memory.dmpFilesize
4KB
-
memory/4064-10-0x0000000000000000-mapping.dmp
-
memory/4064-38-0x0000000007420000-0x0000000007421000-memory.dmpFilesize
4KB
-
memory/4064-33-0x0000000006B60000-0x0000000006B61000-memory.dmpFilesize
4KB
-
memory/4064-16-0x0000000006BD0000-0x0000000006BD1000-memory.dmpFilesize
4KB
-
memory/4064-15-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/4064-74-0x0000000007310000-0x0000000007311000-memory.dmpFilesize
4KB
-
memory/4064-30-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/4064-82-0x0000000007B70000-0x0000000007B71000-memory.dmpFilesize
4KB
-
memory/4064-127-0x000000007F490000-0x000000007F491000-memory.dmpFilesize
4KB
-
memory/4064-19-0x0000000006590000-0x0000000006591000-memory.dmpFilesize
4KB
-
memory/4064-20-0x0000000006592000-0x0000000006593000-memory.dmpFilesize
4KB
-
memory/4184-17-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/4184-22-0x00000000045A0000-0x00000000045A1000-memory.dmpFilesize
4KB
-
memory/4184-144-0x0000000009180000-0x0000000009181000-memory.dmpFilesize
4KB
-
memory/4184-118-0x000000007ED10000-0x000000007ED11000-memory.dmpFilesize
4KB
-
memory/4184-89-0x0000000008F10000-0x0000000008F43000-memory.dmpFilesize
204KB
-
memory/4184-48-0x00000000045A2000-0x00000000045A3000-memory.dmpFilesize
4KB
-
memory/4184-140-0x0000000009190000-0x0000000009191000-memory.dmpFilesize
4KB
-
memory/4184-137-0x00000000045A3000-0x00000000045A4000-memory.dmpFilesize
4KB
-
memory/4184-11-0x0000000000000000-mapping.dmp
-
memory/4452-54-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/4452-51-0x000000000043748E-mapping.dmp
-
memory/4776-61-0x00000000063D0000-0x00000000063D1000-memory.dmpFilesize
4KB
-
memory/4776-2-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/4776-9-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/4776-8-0x0000000005E70000-0x0000000005ED4000-memory.dmpFilesize
400KB
-
memory/4776-7-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/4776-6-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/4776-5-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/4776-3-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB