Overview

overview

10

Static

static

figg.exe

windows7_x64

10

figg.exe

windows10_x64

10

Analysis

  • max time kernel
    98s
  • max time network
    101s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    figg.exe

  • Size

    56KB

  • MD5

    dfd545dbc01cac5d86f94dd0a3c8d675

  • SHA1

    86b077d904d1f9bbb11d897a78e38924a421e0e8

  • SHA256

    5defd50046db301c82c85cc8306960982f576cbf5446f24062cc570dcf0becec

  • SHA512

    72d3f60e21187b9feb34a28fe4464bbc54e6fbf3c329476657d8a4a89ad2ce632223f2a1226af0488f7ceeda7c3c836288de9110a0868042670c7e74e61a01b7

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    noor.akbari@petrolnas.icu
  • Password:
    @Mexico1.,

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\figg.exe
    "C:\Users\Admin\AppData\Local\Temp\figg.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\figg.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3632
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\figg.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3616
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\figg.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:980
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\figg.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:660
    • C:\Users\Admin\AppData\Local\Temp\figg.exe
      "C:\Users\Admin\AppData\Local\Temp\figg.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1392
    • C:\Users\Admin\AppData\Local\Temp\figg.exe
      "C:\Users\Admin\AppData\Local\Temp\figg.exe"
      2⤵
        PID:3784
      • C:\Users\Admin\AppData\Local\Temp\figg.exe
        "C:\Users\Admin\AppData\Local\Temp\figg.exe"
        2⤵
          PID:2176
        • C:\Users\Admin\AppData\Local\Temp\figg.exe
          "C:\Users\Admin\AppData\Local\Temp\figg.exe"
          2⤵
            PID:2412

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        5
        T1112

        Disabling Security Tools

        3
        T1089

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        Query Registry

        4
        T1012

        Virtualization/Sandbox Evasion

        2
        T1497

        System Information Discovery

        3
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          MD5

          db01a2c1c7e70b2b038edf8ad5ad9826

          SHA1

          540217c647a73bad8d8a79e3a0f3998b5abd199b

          SHA256

          413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

          SHA512

          c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          cfe456cd2eb4c3fbb715a9cebf95b809

          SHA1

          ed46febe2d4b2847990acb17e0e45c5709a85a27

          SHA256

          4e4719cab12c67b24fc301369530a6bff17d7ee256b1f84e01db74939f026d52

          SHA512

          1bb727d5c00a095f540027083c1aac9533b5a380bb8c5c5a429b7936dff89b6a4edc10e2aa50b708a6ecfbb71062f8997291d0ab447f0c120ca931df9a41c311

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          3a544da63e6b4b5b31f13a8b4c058277

          SHA1

          3401b2292d528271a48502d11e7ea0f41e48fe9f

          SHA256

          ca32903270e77e84102d8effe92c8d99e5bb313285fc6fbf21573f564054fb0a

          SHA512

          cdea55573405a8068c05dbc95085cafddeaeea6bea13d09841770958fa9a5e005ab8ace2db380d1bf4a6649dc766938276847347e80422b49b29a69a99af6760

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          5237a9434ca830fffcb2f8fc484d27a4

          SHA1

          5e60b2d0ce968f185ff2402ae7cc5c22c04b0879

          SHA256

          8b5b42606b77853afba320f44c518671aa177db1d119f4b6552651627865e6ed

          SHA512

          64ca1eb73542ce080b47b2ce22b16283514811e3beebb48ba04b35738a3cdd006da3056964f559146ef198bbe936e4071a1688223be3d5ae0f4e9e21748d1d85

          Download Submit
        • memory/660-126-0x0000000008E40000-0x0000000008E41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/660-112-0x0000000008B10000-0x0000000008B11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/660-115-0x0000000008C60000-0x0000000008C61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/660-31-0x0000000006AB2000-0x0000000006AB3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/660-29-0x0000000006AB0000-0x0000000006AB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/660-23-0x0000000073D20000-0x000000007440E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/660-99-0x000000007E6D0000-0x000000007E6D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/660-133-0x0000000006AB3000-0x0000000006AB4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/660-84-0x0000000008B30000-0x0000000008B63000-memory.dmp
          Filesize

          204KB

          Download
        • memory/660-79-0x0000000007BF0000-0x0000000007BF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/660-17-0x0000000000000000-mapping.dmp
          Download
        • memory/980-37-0x0000000000A10000-0x0000000000A11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/980-14-0x0000000000000000-mapping.dmp
          Download
        • memory/980-21-0x0000000073D20000-0x000000007440E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/980-134-0x0000000000A13000-0x0000000000A14000-memory.dmp
          Filesize

          4KB

          Download
        • memory/980-108-0x000000007F980000-0x000000007F981000-memory.dmp
          Filesize

          4KB

          Download
        • memory/980-27-0x0000000000A12000-0x0000000000A13000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-8-0x0000000002960000-0x0000000002961000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-11-0x0000000006100000-0x0000000006101000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-3-0x0000000000690000-0x0000000000691000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-5-0x00000000054A0000-0x00000000054A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-9-0x0000000005190000-0x0000000005191000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-10-0x0000000006020000-0x0000000006084000-memory.dmp
          Filesize

          400KB

          Download
        • memory/1192-6-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-7-0x0000000005040000-0x0000000005041000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-2-0x0000000073D20000-0x000000007440E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1192-40-0x0000000006670000-0x0000000006671000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1392-36-0x000000000043747E-mapping.dmp
          Download
        • memory/1392-39-0x0000000073D20000-0x000000007440E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1392-158-0x00000000052D1000-0x00000000052D2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1392-65-0x00000000052D0000-0x00000000052D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1392-130-0x0000000005620000-0x0000000005621000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1392-34-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/2176-54-0x000000000043747E-mapping.dmp
          Download
        • memory/2412-42-0x000000000043747E-mapping.dmp
          Download
        • memory/2412-43-0x0000000073D20000-0x000000007440E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3616-33-0x0000000007330000-0x0000000007331000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3616-13-0x0000000000000000-mapping.dmp
          Download
        • memory/3616-136-0x0000000009C20000-0x0000000009C21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3616-19-0x0000000073D20000-0x000000007440E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3616-132-0x0000000007333000-0x0000000007334000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3616-35-0x0000000007332000-0x0000000007333000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3616-104-0x000000007F990000-0x000000007F991000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-57-0x0000000007DC0000-0x0000000007DC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-38-0x0000000007A90000-0x0000000007A91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-12-0x0000000000000000-mapping.dmp
          Download
        • memory/3632-32-0x00000000049A2000-0x00000000049A3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-113-0x000000007E4C0000-0x000000007E4C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-70-0x0000000007D20000-0x0000000007D21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-25-0x00000000049A0000-0x00000000049A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-52-0x0000000007D50000-0x0000000007D51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-135-0x00000000049A3000-0x00000000049A4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-71-0x00000000085B0000-0x00000000085B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-144-0x0000000009750000-0x0000000009751000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-18-0x0000000007430000-0x0000000007431000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-16-0x0000000004A30000-0x0000000004A31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3632-15-0x0000000073D20000-0x000000007440E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3784-49-0x0000000073D20000-0x000000007440E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3784-46-0x000000000043747E-mapping.dmp
          Download