Analysis
-
max time kernel
128s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-01-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe
Resource
win10v20201028
General
-
Target
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe
-
Size
1.1MB
-
MD5
92edc65726762623172b37e177bd09de
-
SHA1
8a75db87fb9a1cfc0c8dc24d42dcba490919c954
-
SHA256
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76
-
SHA512
2aa1496d3e192d14efece08c9477f3dd4e69a70af84ac9744cbd9559a57f1dbdb6e67c9ad32fb35e3d147833a5eaee0fb84e3368bd50715b4f67e8aeffa63b63
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
vbjmys@yandex.com - Password:
officepost8
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/920-28-0x00000000004617EE-mapping.dmp family_agenttesla behavioral2/memory/920-32-0x0000000000700000-0x0000000000766000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
sshhhaaa.exeRegAsm.exepid process 4084 sshhhaaa.exe 920 RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeRegAsm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\pls = "C:\\Program Files (x86)\\sshhhaaa.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WNRUXJ = "C:\\Users\\Admin\\AppData\\Roaming\\WNRUXJ\\WNRUXJ.exe" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sshhhaaa.exedescription pid process target process PID 4084 set thread context of 920 4084 sshhhaaa.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exedescription ioc process File created C:\Program Files (x86)\sshhhaaa.exe ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe File opened for modification C:\Program Files (x86)\sshhhaaa.exe ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exesshhhaaa.exeRegAsm.exepid process 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe 4084 sshhhaaa.exe 4084 sshhhaaa.exe 920 RegAsm.exe 920 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exesshhhaaa.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe Token: SeDebugPrivilege 4084 sshhhaaa.exe Token: SeDebugPrivilege 920 RegAsm.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.execmd.exesshhhaaa.exedescription pid process target process PID 3888 wrote to memory of 776 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe cmd.exe PID 3888 wrote to memory of 776 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe cmd.exe PID 3888 wrote to memory of 776 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe cmd.exe PID 776 wrote to memory of 752 776 cmd.exe reg.exe PID 776 wrote to memory of 752 776 cmd.exe reg.exe PID 776 wrote to memory of 752 776 cmd.exe reg.exe PID 3888 wrote to memory of 4084 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe sshhhaaa.exe PID 3888 wrote to memory of 4084 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe sshhhaaa.exe PID 3888 wrote to memory of 4084 3888 ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe sshhhaaa.exe PID 4084 wrote to memory of 920 4084 sshhhaaa.exe RegAsm.exe PID 4084 wrote to memory of 920 4084 sshhhaaa.exe RegAsm.exe PID 4084 wrote to memory of 920 4084 sshhhaaa.exe RegAsm.exe PID 4084 wrote to memory of 920 4084 sshhhaaa.exe RegAsm.exe PID 4084 wrote to memory of 920 4084 sshhhaaa.exe RegAsm.exe PID 4084 wrote to memory of 920 4084 sshhhaaa.exe RegAsm.exe PID 4084 wrote to memory of 920 4084 sshhhaaa.exe RegAsm.exe PID 4084 wrote to memory of 920 4084 sshhhaaa.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe"C:\Users\Admin\AppData\Local\Temp\ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "pls" /t REG_SZ /d "C:\Program Files (x86)\sshhhaaa.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "pls" /t REG_SZ /d "C:\Program Files (x86)\sshhhaaa.exe"3⤵
- Adds Run key to start application
-
C:\Program Files (x86)\sshhhaaa.exe"C:\Program Files (x86)\sshhhaaa.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\sshhhaaa.exeMD5
92edc65726762623172b37e177bd09de
SHA18a75db87fb9a1cfc0c8dc24d42dcba490919c954
SHA256ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76
SHA5122aa1496d3e192d14efece08c9477f3dd4e69a70af84ac9744cbd9559a57f1dbdb6e67c9ad32fb35e3d147833a5eaee0fb84e3368bd50715b4f67e8aeffa63b63
-
C:\Program Files (x86)\sshhhaaa.exeMD5
92edc65726762623172b37e177bd09de
SHA18a75db87fb9a1cfc0c8dc24d42dcba490919c954
SHA256ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76
SHA5122aa1496d3e192d14efece08c9477f3dd4e69a70af84ac9744cbd9559a57f1dbdb6e67c9ad32fb35e3d147833a5eaee0fb84e3368bd50715b4f67e8aeffa63b63
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
memory/752-11-0x0000000000000000-mapping.dmp
-
memory/776-10-0x0000000000000000-mapping.dmp
-
memory/920-28-0x00000000004617EE-mapping.dmp
-
memory/920-31-0x0000000073960000-0x000000007404E000-memory.dmpFilesize
6.9MB
-
memory/920-38-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/920-37-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/920-36-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/920-34-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/920-32-0x0000000000700000-0x0000000000766000-memory.dmpFilesize
408KB
-
memory/3888-6-0x0000000000E80000-0x0000000000E9E000-memory.dmpFilesize
120KB
-
memory/3888-7-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/3888-8-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/3888-12-0x0000000004F51000-0x0000000004F52000-memory.dmpFilesize
4KB
-
memory/3888-9-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/3888-2-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/3888-5-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/3888-3-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/4084-16-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/4084-26-0x0000000004F81000-0x0000000004F82000-memory.dmpFilesize
4KB
-
memory/4084-23-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/4084-13-0x0000000000000000-mapping.dmp
-
memory/4084-25-0x00000000047B0000-0x00000000047B1000-memory.dmpFilesize
4KB
-
memory/4084-24-0x0000000004E60000-0x0000000004E6B000-memory.dmpFilesize
44KB