Analysis
-
max time kernel
142s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe
Resource
win10v20201028
General
-
Target
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe
-
Size
1.1MB
-
MD5
92edc65726762623172b37e177bd09de
-
SHA1
8a75db87fb9a1cfc0c8dc24d42dcba490919c954
-
SHA256
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76
-
SHA512
2aa1496d3e192d14efece08c9477f3dd4e69a70af84ac9744cbd9559a57f1dbdb6e67c9ad32fb35e3d147833a5eaee0fb84e3368bd50715b4f67e8aeffa63b63
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
vbjmys@yandex.com - Password:
officepost8
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1756-26-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/1756-27-0x00000000004617EE-mapping.dmp family_agenttesla behavioral1/memory/1756-32-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
sshhhaaa.exeRegAsm.exepid process 748 sshhhaaa.exe 1756 RegAsm.exe -
Loads dropped DLL 3 IoCs
Processes:
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exesshhhaaa.exeRegAsm.exepid process 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 748 sshhhaaa.exe 1756 RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeRegAsm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\pls = "C:\\Program Files (x86)\\sshhhaaa.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\WNRUXJ = "C:\\Users\\Admin\\AppData\\Roaming\\WNRUXJ\\WNRUXJ.exe" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sshhhaaa.exedescription pid process target process PID 748 set thread context of 1756 748 sshhhaaa.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exedescription ioc process File opened for modification C:\Program Files (x86)\sshhhaaa.exe ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe File created C:\Program Files (x86)\sshhhaaa.exe ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exesshhhaaa.exeRegAsm.exepid process 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 748 sshhhaaa.exe 748 sshhhaaa.exe 1756 RegAsm.exe 1756 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exesshhhaaa.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe Token: SeDebugPrivilege 748 sshhhaaa.exe Token: SeDebugPrivilege 1756 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.execmd.exesshhhaaa.exedescription pid process target process PID 1056 wrote to memory of 316 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe cmd.exe PID 1056 wrote to memory of 316 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe cmd.exe PID 1056 wrote to memory of 316 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe cmd.exe PID 1056 wrote to memory of 316 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe cmd.exe PID 316 wrote to memory of 1668 316 cmd.exe reg.exe PID 316 wrote to memory of 1668 316 cmd.exe reg.exe PID 316 wrote to memory of 1668 316 cmd.exe reg.exe PID 316 wrote to memory of 1668 316 cmd.exe reg.exe PID 1056 wrote to memory of 748 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe sshhhaaa.exe PID 1056 wrote to memory of 748 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe sshhhaaa.exe PID 1056 wrote to memory of 748 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe sshhhaaa.exe PID 1056 wrote to memory of 748 1056 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe sshhhaaa.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe PID 748 wrote to memory of 1756 748 sshhhaaa.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe"C:\Users\Admin\AppData\Local\Temp\ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "pls" /t REG_SZ /d "C:\Program Files (x86)\sshhhaaa.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "pls" /t REG_SZ /d "C:\Program Files (x86)\sshhhaaa.exe"3⤵
- Adds Run key to start application
-
C:\Program Files (x86)\sshhhaaa.exe"C:\Program Files (x86)\sshhhaaa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\sshhhaaa.exeMD5
92edc65726762623172b37e177bd09de
SHA18a75db87fb9a1cfc0c8dc24d42dcba490919c954
SHA256ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76
SHA5122aa1496d3e192d14efece08c9477f3dd4e69a70af84ac9744cbd9559a57f1dbdb6e67c9ad32fb35e3d147833a5eaee0fb84e3368bd50715b4f67e8aeffa63b63
-
C:\Program Files (x86)\sshhhaaa.exeMD5
92edc65726762623172b37e177bd09de
SHA18a75db87fb9a1cfc0c8dc24d42dcba490919c954
SHA256ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76
SHA5122aa1496d3e192d14efece08c9477f3dd4e69a70af84ac9744cbd9559a57f1dbdb6e67c9ad32fb35e3d147833a5eaee0fb84e3368bd50715b4f67e8aeffa63b63
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Program Files (x86)\sshhhaaa.exeMD5
92edc65726762623172b37e177bd09de
SHA18a75db87fb9a1cfc0c8dc24d42dcba490919c954
SHA256ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76
SHA5122aa1496d3e192d14efece08c9477f3dd4e69a70af84ac9744cbd9559a57f1dbdb6e67c9ad32fb35e3d147833a5eaee0fb84e3368bd50715b4f67e8aeffa63b63
-
\Users\Admin\AppData\Local\Temp\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Local\Temp\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
memory/316-8-0x0000000000000000-mapping.dmp
-
memory/748-21-0x00000000005B0000-0x00000000005BB000-memory.dmpFilesize
44KB
-
memory/748-22-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/748-25-0x0000000004BB1000-0x0000000004BB2000-memory.dmpFilesize
4KB
-
memory/748-12-0x0000000000000000-mapping.dmp
-
memory/748-15-0x0000000073C60000-0x000000007434E000-memory.dmpFilesize
6.9MB
-
memory/748-16-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/748-20-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/1056-10-0x0000000000D91000-0x0000000000D92000-memory.dmpFilesize
4KB
-
memory/1056-2-0x0000000073C60000-0x000000007434E000-memory.dmpFilesize
6.9MB
-
memory/1056-7-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/1056-6-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/1056-5-0x00000000002F0000-0x000000000030E000-memory.dmpFilesize
120KB
-
memory/1056-3-0x0000000001230000-0x0000000001231000-memory.dmpFilesize
4KB
-
memory/1668-9-0x0000000000000000-mapping.dmp
-
memory/1756-26-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1756-27-0x00000000004617EE-mapping.dmp
-
memory/1756-29-0x0000000075A61000-0x0000000075A63000-memory.dmpFilesize
8KB
-
memory/1756-31-0x0000000072F30000-0x000000007361E000-memory.dmpFilesize
6.9MB
-
memory/1756-32-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1756-34-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB