Analysis
-
max time kernel
109s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-01-2021 11:06
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
-
Size
2.0MB
-
MD5
3c68883aec0f8998e92336eb1e4a5dfc
-
SHA1
55f2c9c5622104af60bbdfdb50614d3add1cf83d
-
SHA256
83ed44db03acc4abfb655a211c01e03c56bab2a016e603de64aeeb0bca8a77ca
-
SHA512
530e1c300677f8a8dade7dbc1b15abef0974a935255c5739f720f000c2b1931cf0f7eaf7837d4630a920d2e674023abc699f8ccf325c0de4e7ce1846bfe78806
Malware Config
Extracted
Protocol: smtp- Host:
mail.owlpk.com - Port:
587 - Username:
[email protected] - Password:
786owlacc?
Extracted
agenttesla
Protocol: smtp- Host:
mail.owlpk.com - Port:
587 - Username:
[email protected] - Password:
786owlacc?
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1172-46-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/1172-47-0x000000000043779E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exeSecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exedescription pid process target process PID 3116 set thread context of 2272 3116 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2272 set thread context of 1172 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeSecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exepid process 2716 powershell.exe 2716 powershell.exe 2716 powershell.exe 1172 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe 1172 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exepowershell.exeSecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exedescription pid process Token: SeDebugPrivilege 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 1172 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exepid process 1172 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exeSecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exedescription pid process target process PID 3116 wrote to memory of 2272 3116 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 3116 wrote to memory of 2272 3116 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 3116 wrote to memory of 2272 3116 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 3116 wrote to memory of 2272 3116 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 3116 wrote to memory of 2272 3116 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 3116 wrote to memory of 2272 3116 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 3116 wrote to memory of 2272 3116 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 3116 wrote to memory of 2272 3116 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2272 wrote to memory of 2716 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe powershell.exe PID 2272 wrote to memory of 2716 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe powershell.exe PID 2272 wrote to memory of 2716 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe powershell.exe PID 2272 wrote to memory of 1172 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2272 wrote to memory of 1172 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2272 wrote to memory of 1172 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2272 wrote to memory of 1172 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2272 wrote to memory of 1172 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2272 wrote to memory of 1172 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2272 wrote to memory of 1172 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2272 wrote to memory of 1172 2272 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"2⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe.logMD5
4d710ca9c563bbb76bb29b87d5d64282
SHA12b1271f68a5d18e1c1bb08800a9cc9464e8a81ad
SHA2566c7ac5cff014a13315b8813524bbd14471f1ab7aac691be94d4d4f28e4cd2de4
SHA512873c9ee04e4f8d23f8cf90ffea89a362e8eda43c0cfc6bb47442f93e0add8794c004081350cfbd7cfaed6d101582287b26a00951d4019dfb466f21514e5d90d6
-
memory/1172-62-0x00000000057E1000-0x00000000057E2000-memory.dmpFilesize
4KB
-
memory/1172-58-0x0000000005B80000-0x0000000005B81000-memory.dmpFilesize
4KB
-
memory/1172-53-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/1172-48-0x0000000073840000-0x0000000073F2E000-memory.dmpFilesize
6.9MB
-
memory/1172-47-0x000000000043779E-mapping.dmp
-
memory/1172-46-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2272-23-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/2272-10-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB
-
memory/2272-11-0x0000000010049EFE-mapping.dmp
-
memory/2272-13-0x0000000073840000-0x0000000073F2E000-memory.dmpFilesize
6.9MB
-
memory/2716-27-0x0000000007420000-0x0000000007421000-memory.dmpFilesize
4KB
-
memory/2716-34-0x00000000089A0000-0x00000000089D3000-memory.dmpFilesize
204KB
-
memory/2716-20-0x0000000073840000-0x0000000073F2E000-memory.dmpFilesize
6.9MB
-
memory/2716-22-0x0000000006B40000-0x0000000006B41000-memory.dmpFilesize
4KB
-
memory/2716-21-0x0000000004100000-0x0000000004101000-memory.dmpFilesize
4KB
-
memory/2716-56-0x0000000008E50000-0x0000000008E51000-memory.dmpFilesize
4KB
-
memory/2716-24-0x0000000004160000-0x0000000004161000-memory.dmpFilesize
4KB
-
memory/2716-25-0x0000000004162000-0x0000000004163000-memory.dmpFilesize
4KB
-
memory/2716-26-0x0000000007280000-0x0000000007281000-memory.dmpFilesize
4KB
-
memory/2716-54-0x0000000008E60000-0x0000000008E61000-memory.dmpFilesize
4KB
-
memory/2716-28-0x00000000071F0000-0x00000000071F1000-memory.dmpFilesize
4KB
-
memory/2716-29-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/2716-30-0x0000000007400000-0x0000000007401000-memory.dmpFilesize
4KB
-
memory/2716-31-0x0000000007960000-0x0000000007961000-memory.dmpFilesize
4KB
-
memory/2716-32-0x0000000007B90000-0x0000000007B91000-memory.dmpFilesize
4KB
-
memory/2716-19-0x0000000000000000-mapping.dmp
-
memory/2716-41-0x0000000008980000-0x0000000008981000-memory.dmpFilesize
4KB
-
memory/2716-42-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/2716-43-0x0000000008EB0000-0x0000000008EB1000-memory.dmpFilesize
4KB
-
memory/2716-44-0x000000007F060000-0x000000007F061000-memory.dmpFilesize
4KB
-
memory/2716-45-0x0000000004163000-0x0000000004164000-memory.dmpFilesize
4KB
-
memory/3116-9-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/3116-8-0x0000000007000000-0x0000000007001000-memory.dmpFilesize
4KB
-
memory/3116-7-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/3116-6-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/3116-2-0x0000000073840000-0x0000000073F2E000-memory.dmpFilesize
6.9MB
-
memory/3116-18-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/3116-5-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/3116-3-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB