Analysis
-
max time kernel
101s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 18:32
Static task
static1
Behavioral task
behavioral1
Sample
kdotx.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
kdotx.exe
Resource
win10v20201028
General
-
Target
kdotx.exe
-
Size
57KB
-
MD5
b95249a3ceacb06a049d3f211479fc7e
-
SHA1
5de29c60c381140276e5e96b473018a73bdd53eb
-
SHA256
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
-
SHA512
3591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sardaplywood.com - Port:
587 - Username:
superstars@sardaplywood.com - Password:
sup123st45
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/60-10-0x00000000061A0000-0x00000000061FC000-memory.dmp family_agenttesla behavioral2/memory/660-18-0x000000000043769E-mapping.dmp family_agenttesla behavioral2/memory/2612-21-0x000000000043769E-mapping.dmp family_agenttesla behavioral2/memory/660-16-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 api.ipify.org 18 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 40 IoCs
Processes:
kdotx.exepid process 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe 60 kdotx.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
kdotx.exedescription pid process target process PID 60 set thread context of 2248 60 kdotx.exe kdotx.exe PID 60 set thread context of 2812 60 kdotx.exe kdotx.exe PID 60 set thread context of 660 60 kdotx.exe kdotx.exe PID 60 set thread context of 2612 60 kdotx.exe kdotx.exe PID 60 set thread context of 2228 60 kdotx.exe kdotx.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2964 2248 WerFault.exe kdotx.exe 736 2812 WerFault.exe kdotx.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
kdotx.exekdotx.exepid process 60 kdotx.exe 60 kdotx.exe 660 kdotx.exe 660 kdotx.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kdotx.exekdotx.exedescription pid process Token: SeDebugPrivilege 60 kdotx.exe Token: SeDebugPrivilege 660 kdotx.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
kdotx.exepid process 660 kdotx.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
kdotx.exedescription pid process target process PID 60 wrote to memory of 2248 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2248 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2248 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2248 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2812 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2812 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2812 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2812 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 660 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 660 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 660 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 660 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 660 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 660 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 660 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 660 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2612 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2612 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2612 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2612 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2612 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2612 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2612 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2612 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2228 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2228 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2228 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2228 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2228 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2228 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2228 60 kdotx.exe kdotx.exe PID 60 wrote to memory of 2228 60 kdotx.exe kdotx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kdotx.exe"C:\Users\Admin\AppData\Local\Temp\kdotx.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kdotx.exe"C:\Users\Admin\AppData\Local\Temp\kdotx.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 963⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\kdotx.exe"C:\Users\Admin\AppData\Local\Temp\kdotx.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 883⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\kdotx.exe"C:\Users\Admin\AppData\Local\Temp\kdotx.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\kdotx.exe"C:\Users\Admin\AppData\Local\Temp\kdotx.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\kdotx.exe"C:\Users\Admin\AppData\Local\Temp\kdotx.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/60-2-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/60-3-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/60-5-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/60-6-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/60-7-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/60-8-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/60-9-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/60-10-0x00000000061A0000-0x00000000061FC000-memory.dmpFilesize
368KB
-
memory/60-35-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/660-18-0x000000000043769E-mapping.dmp
-
memory/660-36-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/660-38-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/660-41-0x0000000005151000-0x0000000005152000-memory.dmpFilesize
4KB
-
memory/660-20-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/660-16-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/660-37-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/736-30-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/2228-25-0x000000000043769E-mapping.dmp
-
memory/2228-28-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2248-12-0x000000000043769E-mapping.dmp
-
memory/2612-22-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2612-21-0x000000000043769E-mapping.dmp
-
memory/2812-14-0x000000000043769E-mapping.dmp
-
memory/2964-29-0x0000000004730000-0x0000000004731000-memory.dmpFilesize
4KB