Analysis
-
max time kernel
139s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 07:07
Static task
static1
Behavioral task
behavioral1
Sample
RFQ #6553928_PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ #6553928_PDF.exe
Resource
win10v20201028
General
-
Target
RFQ #6553928_PDF.exe
-
Size
1003KB
-
MD5
126a06711f90b3bb00d5cdf657bbd381
-
SHA1
50c06ee54498c3a960baf9aca1f62909edf1981c
-
SHA256
20795651735a3b9de9a7cd1ec01ea78c8acd43c9cb67dda8628cf1559bdcba1c
-
SHA512
ccf017de3b41b4b7372651aeaf73f0ca25fdf7ab6075634d5cd1600801a3fe438ce3c86ceccb5de7a31f626286dd75ef02dbc9ec3f0019541eb980a76d8191fc
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1513271204:AAFn4hPg2fp2zgo9ieA28FrdaCkpwxApdbA/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1716-10-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1716-11-0x000000000043777E-mapping.dmp family_agenttesla behavioral1/memory/1716-13-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ #6553928_PDF.exedescription pid process target process PID 1856 set thread context of 1716 1856 RFQ #6553928_PDF.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1716 MSBuild.exe 1716 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1716 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
RFQ #6553928_PDF.exedescription pid process target process PID 1856 wrote to memory of 672 1856 RFQ #6553928_PDF.exe schtasks.exe PID 1856 wrote to memory of 672 1856 RFQ #6553928_PDF.exe schtasks.exe PID 1856 wrote to memory of 672 1856 RFQ #6553928_PDF.exe schtasks.exe PID 1856 wrote to memory of 672 1856 RFQ #6553928_PDF.exe schtasks.exe PID 1856 wrote to memory of 1716 1856 RFQ #6553928_PDF.exe MSBuild.exe PID 1856 wrote to memory of 1716 1856 RFQ #6553928_PDF.exe MSBuild.exe PID 1856 wrote to memory of 1716 1856 RFQ #6553928_PDF.exe MSBuild.exe PID 1856 wrote to memory of 1716 1856 RFQ #6553928_PDF.exe MSBuild.exe PID 1856 wrote to memory of 1716 1856 RFQ #6553928_PDF.exe MSBuild.exe PID 1856 wrote to memory of 1716 1856 RFQ #6553928_PDF.exe MSBuild.exe PID 1856 wrote to memory of 1716 1856 RFQ #6553928_PDF.exe MSBuild.exe PID 1856 wrote to memory of 1716 1856 RFQ #6553928_PDF.exe MSBuild.exe PID 1856 wrote to memory of 1716 1856 RFQ #6553928_PDF.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ #6553928_PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQ #6553928_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZAqSbOWQIwH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmpMD5
f968887707d52bb3ddfde8fe3b1c797f
SHA13c91297409f893f937a113b8e714bec645106674
SHA256cb15a70816953638b6294f21827c3679ed920a387afe25c614d06ca36665a321
SHA512c3f10df80c56eb45a94e78b533ebb23b82f6700f31240cb54c8cf5fa3175e6717aadb602ffb191539addba70d2070dd95b5a0e84bb55dd07fb0e7c19e13f5a23
-
memory/672-8-0x0000000000000000-mapping.dmp
-
memory/1716-12-0x0000000074590000-0x0000000074C7E000-memory.dmpFilesize
6MB
-
memory/1716-10-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1716-11-0x000000000043777E-mapping.dmp
-
memory/1716-13-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1716-15-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/1716-16-0x0000000004A51000-0x0000000004A52000-memory.dmpFilesize
4KB
-
memory/1856-6-0x0000000000350000-0x000000000035E000-memory.dmpFilesize
56KB
-
memory/1856-7-0x0000000005790000-0x0000000005836000-memory.dmpFilesize
664KB
-
memory/1856-5-0x00000000043C0000-0x00000000043C1000-memory.dmpFilesize
4KB
-
memory/1856-3-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/1856-2-0x0000000074590000-0x0000000074C7E000-memory.dmpFilesize
6MB