Analysis

  • max time kernel
    110s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-01-2021 09:20

General

  • Target

    Enq No 34 22-01-2021.exe

  • Size

    15KB

  • MD5

    8fd66b905336c204a24de3e7273fb835

  • SHA1

    b8a9c7b99ccffbc8b1905d58fb27efe5b1f7bd4d

  • SHA256

    69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f

  • SHA512

    5a1814d8826f561331f512dc6211b4cfaed5d6b0b51ac9cc92b15c1b058e321a1f119c6f99eca61cc70b3cbff0b1eb651ebac60fe83592180ca37f2c6d0af007

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    noor.akbari@petrolnas.icu
  • Password:
    @Mexico1.,

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
  • Windows security bypass 2 TTPs
  • AgentTesla Payload 4 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
  • Looks for VMWare Tools registry key 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 11 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe
    "C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enq No 34 22-01-2021.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enq No 34 22-01-2021.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enq No 34 22-01-2021.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3812
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3748
    • C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe
      "C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2332
    • C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe
      "C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"
      2⤵
        PID:1928
      • C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe
        "C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"
        2⤵
          PID:4168
        • C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe
          "C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"
          2⤵
            PID:3580
          • C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe
            "C:\Users\Admin\AppData\Local\Temp\Enq No 34 22-01-2021.exe"
            2⤵
              PID:1740

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Persistence

          Winlogon Helper DLL

          1
          T1004

          Registry Run Keys / Startup Folder

          1
          T1060

          Defense Evasion

          Modify Registry

          5
          T1112

          Disabling Security Tools

          3
          T1089

          Virtualization/Sandbox Evasion

          2
          T1497

          Credential Access

          Credentials in Files

          3
          T1081

          Discovery

          Query Registry

          4
          T1012

          Virtualization/Sandbox Evasion

          2
          T1497

          System Information Discovery

          3
          T1082

          Peripheral Device Discovery

          1
          T1120

          Collection

          Data from Local System

          3
          T1005

          Command and Control

          Web Service

          1
          T1102

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            MD5

            1c19c16e21c97ed42d5beabc93391fc5

            SHA1

            8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

            SHA256

            1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

            SHA512

            7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            148436ccb097c95fa6a7cd85cc8ffa5b

            SHA1

            9d2374681c90345b456e153169479c40f99528f2

            SHA256

            bc6da336cce4d6f16672cf4320d44ebadd63c7ea72ea32b8eab38290bdd64699

            SHA512

            319a9284570c7fa922565767f9e6d767c0e6950a33f6904ee73419f75f5b20c370e18ab901b361786388c26bcd8b9c88c15a72e31c74daab43cefe70cb2d5a24

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            9359f5a64415ead9d111ce6104d4ece3

            SHA1

            70241ca91ce954c823cb535808ab64e34fb200bc

            SHA256

            ba20ed8b21ee0b452bfe4d81d199c7153e301a8e00285686ab61264a8d188b75

            SHA512

            e69b253cfa1523935205458bb6cf90755877a55427851cb60455ac0bdd664efca490e304291fbcab99ea1314d1b9b730a0e7b83bca633da4fe819aca7263eda6

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            2b85b16465ff6c335cc1166592588b47

            SHA1

            292fa1204fd481ca203c01da44a310b155112d5f

            SHA256

            c1b0955f126abcc4319c2faf8495c14cb76acaf83be0f0bb93338d33bf4505f5

            SHA512

            75290e155dff3c48e9da875379b36d5bd936dbc8a6ab296fa96c6628335505f2acc1a3197c81ffb9507dd52a9554a590e346e855003839647665f788ec6e3195

          • memory/640-7-0x0000000002C20000-0x0000000002C21000-memory.dmp
            Filesize

            4KB

          • memory/640-2-0x0000000073190000-0x000000007387E000-memory.dmp
            Filesize

            6MB

          • memory/640-9-0x0000000005490000-0x0000000005491000-memory.dmp
            Filesize

            4KB

          • memory/640-10-0x00000000062B0000-0x0000000006315000-memory.dmp
            Filesize

            404KB

          • memory/640-11-0x0000000006530000-0x0000000006531000-memory.dmp
            Filesize

            4KB

          • memory/640-3-0x0000000000970000-0x0000000000971000-memory.dmp
            Filesize

            4KB

          • memory/640-48-0x00000000065B0000-0x00000000065B1000-memory.dmp
            Filesize

            4KB

          • memory/640-8-0x0000000002D30000-0x0000000002D31000-memory.dmp
            Filesize

            4KB

          • memory/640-6-0x0000000005230000-0x0000000005231000-memory.dmp
            Filesize

            4KB

          • memory/640-5-0x0000000005730000-0x0000000005731000-memory.dmp
            Filesize

            4KB

          • memory/1740-52-0x000000000043747E-mapping.dmp
          • memory/1740-58-0x0000000073190000-0x000000007387E000-memory.dmp
            Filesize

            6MB

          • memory/1928-45-0x000000000043747E-mapping.dmp
          • memory/1928-49-0x0000000073190000-0x000000007387E000-memory.dmp
            Filesize

            6MB

          • memory/2204-140-0x0000000009C80000-0x0000000009C81000-memory.dmp
            Filesize

            4KB

          • memory/2204-34-0x0000000004EE2000-0x0000000004EE3000-memory.dmp
            Filesize

            4KB

          • memory/2204-127-0x000000007E9C0000-0x000000007E9C1000-memory.dmp
            Filesize

            4KB

          • memory/2204-12-0x0000000000000000-mapping.dmp
          • memory/2204-78-0x0000000008B50000-0x0000000008B51000-memory.dmp
            Filesize

            4KB

          • memory/2204-74-0x0000000008180000-0x0000000008181000-memory.dmp
            Filesize

            4KB

          • memory/2204-16-0x0000000073190000-0x000000007387E000-memory.dmp
            Filesize

            6MB

          • memory/2204-28-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
            Filesize

            4KB

          • memory/2204-51-0x0000000008220000-0x0000000008221000-memory.dmp
            Filesize

            4KB

          • memory/2204-138-0x0000000004EE3000-0x0000000004EE4000-memory.dmp
            Filesize

            4KB

          • memory/2332-37-0x000000000043747E-mapping.dmp
          • memory/2332-36-0x0000000000400000-0x000000000043C000-memory.dmp
            Filesize

            240KB

          • memory/2332-40-0x0000000073190000-0x000000007387E000-memory.dmp
            Filesize

            6MB

          • memory/2332-73-0x0000000005760000-0x0000000005761000-memory.dmp
            Filesize

            4KB

          • memory/2332-162-0x0000000005761000-0x0000000005762000-memory.dmp
            Filesize

            4KB

          • memory/2332-130-0x0000000005D00000-0x0000000005D01000-memory.dmp
            Filesize

            4KB

          • memory/2704-120-0x000000007F280000-0x000000007F281000-memory.dmp
            Filesize

            4KB

          • memory/2704-139-0x0000000006AC3000-0x0000000006AC4000-memory.dmp
            Filesize

            4KB

          • memory/2704-13-0x0000000000000000-mapping.dmp
          • memory/2704-17-0x0000000073190000-0x000000007387E000-memory.dmp
            Filesize

            6MB

          • memory/2704-38-0x0000000006F60000-0x0000000006F61000-memory.dmp
            Filesize

            4KB

          • memory/2704-43-0x0000000007730000-0x0000000007731000-memory.dmp
            Filesize

            4KB

          • memory/2704-29-0x0000000006AC0000-0x0000000006AC1000-memory.dmp
            Filesize

            4KB

          • memory/2704-32-0x0000000006AC2000-0x0000000006AC3000-memory.dmp
            Filesize

            4KB

          • memory/2704-122-0x00000000092F0000-0x00000000092F1000-memory.dmp
            Filesize

            4KB

          • memory/2704-117-0x0000000008210000-0x0000000008211000-memory.dmp
            Filesize

            4KB

          • memory/2704-89-0x0000000008F10000-0x0000000008F43000-memory.dmp
            Filesize

            204KB

          • memory/3580-70-0x0000000073190000-0x000000007387E000-memory.dmp
            Filesize

            6MB

          • memory/3580-65-0x000000000043747E-mapping.dmp
          • memory/3748-19-0x0000000073190000-0x000000007387E000-memory.dmp
            Filesize

            6MB

          • memory/3748-31-0x00000000043B0000-0x00000000043B1000-memory.dmp
            Filesize

            4KB

          • memory/3748-125-0x000000007F380000-0x000000007F381000-memory.dmp
            Filesize

            4KB

          • memory/3748-15-0x0000000000000000-mapping.dmp
          • memory/3748-35-0x00000000043B2000-0x00000000043B3000-memory.dmp
            Filesize

            4KB

          • memory/3748-132-0x00000000091D0000-0x00000000091D1000-memory.dmp
            Filesize

            4KB

          • memory/3748-136-0x00000000043B3000-0x00000000043B4000-memory.dmp
            Filesize

            4KB

          • memory/3812-33-0x0000000004B22000-0x0000000004B23000-memory.dmp
            Filesize

            4KB

          • memory/3812-137-0x0000000004B23000-0x0000000004B24000-memory.dmp
            Filesize

            4KB

          • memory/3812-24-0x0000000007580000-0x0000000007581000-memory.dmp
            Filesize

            4KB

          • memory/3812-20-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
            Filesize

            4KB

          • memory/3812-148-0x0000000009800000-0x0000000009801000-memory.dmp
            Filesize

            4KB

          • memory/3812-18-0x0000000073190000-0x000000007387E000-memory.dmp
            Filesize

            6MB

          • memory/3812-129-0x000000007F010000-0x000000007F011000-memory.dmp
            Filesize

            4KB

          • memory/3812-82-0x0000000008600000-0x0000000008601000-memory.dmp
            Filesize

            4KB

          • memory/3812-14-0x0000000000000000-mapping.dmp
          • memory/3812-30-0x0000000004B20000-0x0000000004B21000-memory.dmp
            Filesize

            4KB