Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-01-2021 06:25
Static task
static1
Behavioral task
behavioral1
Sample
Order List SYINDAC_pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Order List SYINDAC_pdf.exe
Resource
win10v20201028
General
-
Target
Order List SYINDAC_pdf.exe
-
Size
778KB
-
MD5
8f3822b0efdca3e1e7f4b56ea55de84c
-
SHA1
9ff92dd22877ae392fc8bd717916fb71198b913a
-
SHA256
26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70
-
SHA512
27d7fb388270bbaa7698fa1d8df8016e3170310fc0ec079f1af5a6e8766867019f6cd591ea8a96ed13f13aca123e2390eef503e9e852f6ea22010b79ab7e8e0f
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2120-10-0x0000000000400000-0x000000000044B000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
dytvqp.exebc1162ts.exepid process 3060 dytvqp.exe 2120 bc1162ts.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
dytvqp.exedescription pid process target process PID 3060 set thread context of 2120 3060 dytvqp.exe bc1162ts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
dytvqp.exebc1162ts.exepid process 3060 dytvqp.exe 3060 dytvqp.exe 3060 dytvqp.exe 3060 dytvqp.exe 3060 dytvqp.exe 3060 dytvqp.exe 3060 dytvqp.exe 3060 dytvqp.exe 2120 bc1162ts.exe 2120 bc1162ts.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
dytvqp.exepid process 3060 dytvqp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bc1162ts.exedescription pid process Token: SeDebugPrivilege 2120 bc1162ts.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Order List SYINDAC_pdf.exedytvqp.exedescription pid process target process PID 496 wrote to memory of 3060 496 Order List SYINDAC_pdf.exe dytvqp.exe PID 496 wrote to memory of 3060 496 Order List SYINDAC_pdf.exe dytvqp.exe PID 496 wrote to memory of 3060 496 Order List SYINDAC_pdf.exe dytvqp.exe PID 3060 wrote to memory of 2120 3060 dytvqp.exe bc1162ts.exe PID 3060 wrote to memory of 2120 3060 dytvqp.exe bc1162ts.exe PID 3060 wrote to memory of 2120 3060 dytvqp.exe bc1162ts.exe PID 3060 wrote to memory of 2120 3060 dytvqp.exe bc1162ts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order List SYINDAC_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order List SYINDAC_pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dytvqp.exeC:\Users\Admin\AppData\Local\Temp\dytvqp.exe C:\Users\Admin\AppData\Local\Temp\kespior.rfy2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bc1162ts.exeC:\Users\Admin\AppData\Local\Temp\dytvqp.exe C:\Users\Admin\AppData\Local\Temp\kespior.rfy3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bc1162ts.exeMD5
535dd1329aef11bf4654b3270f026d5b
SHA19c84de0bde8333f852120ab40710545b3f799300
SHA256b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955
SHA512a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc
-
C:\Users\Admin\AppData\Local\Temp\dytvqp.exeMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\dytvqp.exeMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\kespior.rfyMD5
c3949144bb72c297522c2e6fdcdbea57
SHA14a371154a20b528fa05c4fa2eef1750c9db5ac72
SHA25606c107c749c694657cb4db1d1435b1900b8a7a6865f749922a0566e281061129
SHA5121cc83e93665080aebb47ae169f6f3c7dfe349fa9f49ce3a0b81ac9c6b77a49656742125e9d4fd201ca94a1a5a7c7f4eb260e451e54e7960518ba2ec17ff855d5
-
C:\Users\Admin\AppData\Local\Temp\owxklbaafv.toyMD5
2f94a5162c3f9ff2d64f3070fc744cf1
SHA11cea9317442d006b88764988190d43c9204a4e21
SHA256f5a997fa019287568e2eae7bc4712517ee5584c7edf51b5776243d1bbd4d6d3d
SHA512a47a3e13c2144194a77dfe599c064f81b50c2df2bd0b12578f5e6a75b3aebec996d699d1899afc4a3e1edc3151cbb16f6b3625bd912383982c70fa09cab6b9f0
-
memory/2120-8-0x000000000040188B-mapping.dmp
-
memory/2120-11-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/2120-10-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2120-12-0x00000000004C1000-0x00000000004C2000-memory.dmpFilesize
4KB
-
memory/2120-14-0x00000000004C7000-0x00000000004C8000-memory.dmpFilesize
4KB
-
memory/2120-13-0x00000000004C2000-0x00000000004C4000-memory.dmpFilesize
8KB
-
memory/2120-15-0x00000000004C8000-0x00000000004C9000-memory.dmpFilesize
4KB
-
memory/2120-16-0x00000000004CD000-0x00000000004CF000-memory.dmpFilesize
8KB
-
memory/3060-7-0x0000000001750000-0x0000000001752000-memory.dmpFilesize
8KB
-
memory/3060-2-0x0000000000000000-mapping.dmp