Analysis
-
max time kernel
145s -
max time network
20s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-01-2021 10:22
Static task
static1
Behavioral task
behavioral1
Sample
EPDA Dec 2020 UPDATED_S.O.A Revised.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
EPDA Dec 2020 UPDATED_S.O.A Revised.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
EPDA Dec 2020 UPDATED_S.O.A Revised.exe
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.shreejilogistix.com - Port:
587 - Username:
[email protected] - Password:
ZHNecv9PfHk2
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1268-11-0x0000000000C80000-0x0000000000CCD000-memory.dmp family_agenttesla behavioral1/memory/1268-12-0x0000000000E70000-0x0000000000EBC000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
EPDA Dec 2020 UPDATED_S.O.A Revised.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Swely = "C:\\Users\\Public\\Libraries\\ylewS.url" EPDA Dec 2020 UPDATED_S.O.A Revised.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
EPDA Dec 2020 UPDATED_S.O.A Revised.exedescription pid process target process PID 1616 set thread context of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchost.exepid process 1268 svchost.exe 1268 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
EPDA Dec 2020 UPDATED_S.O.A Revised.exesvchost.exedescription pid process Token: SeRestorePrivilege 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe Token: SeBackupPrivilege 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe Token: SeDebugPrivilege 1268 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EPDA Dec 2020 UPDATED_S.O.A Revised.exedescription pid process target process PID 1616 wrote to memory of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe PID 1616 wrote to memory of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe PID 1616 wrote to memory of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe PID 1616 wrote to memory of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe PID 1616 wrote to memory of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe PID 1616 wrote to memory of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe PID 1616 wrote to memory of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe PID 1616 wrote to memory of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe PID 1616 wrote to memory of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EPDA Dec 2020 UPDATED_S.O.A Revised.exe"C:\Users\Admin\AppData\Local\Temp\EPDA Dec 2020 UPDATED_S.O.A Revised.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:1896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:2000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs1⤵PID:1404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:1660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:2004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:1692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:1848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1268-9-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1268-11-0x0000000000C80000-0x0000000000CCD000-memory.dmpFilesize
308KB
-
memory/1268-4-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/1268-5-0x000000000040CD2F-mapping.dmp
-
memory/1268-7-0x0000000002330000-0x0000000002341000-memory.dmpFilesize
68KB
-
memory/1268-8-0x0000000074640000-0x0000000074D2E000-memory.dmpFilesize
6.9MB
-
memory/1268-16-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1268-15-0x0000000004884000-0x0000000004886000-memory.dmpFilesize
8KB
-
memory/1268-14-0x0000000004883000-0x0000000004884000-memory.dmpFilesize
4KB
-
memory/1268-12-0x0000000000E70000-0x0000000000EBC000-memory.dmpFilesize
304KB
-
memory/1268-10-0x0000000004881000-0x0000000004882000-memory.dmpFilesize
4KB
-
memory/1268-13-0x0000000004882000-0x0000000004883000-memory.dmpFilesize
4KB
-
memory/1616-2-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1616-3-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB