Analysis

  • max time kernel
    133s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    28-01-2021 06:25

General

  • Target

    Order List SYINDAC_pdf.exe

  • Size

    778KB

  • MD5

    8f3822b0efdca3e1e7f4b56ea55de84c

  • SHA1

    9ff92dd22877ae392fc8bd717916fb71198b913a

  • SHA256

    26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70

  • SHA512

    27d7fb388270bbaa7698fa1d8df8016e3170310fc0ec079f1af5a6e8766867019f6cd591ea8a96ed13f13aca123e2390eef503e9e852f6ea22010b79ab7e8e0f

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order List SYINDAC_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Order List SYINDAC_pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:496
    • C:\Users\Admin\AppData\Local\Temp\dytvqp.exe
      C:\Users\Admin\AppData\Local\Temp\dytvqp.exe C:\Users\Admin\AppData\Local\Temp\kespior.rfy
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Users\Admin\AppData\Local\Temp\bc1162ts.exe
        C:\Users\Admin\AppData\Local\Temp\dytvqp.exe C:\Users\Admin\AppData\Local\Temp\kespior.rfy
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2120

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bc1162ts.exe
    MD5

    535dd1329aef11bf4654b3270f026d5b

    SHA1

    9c84de0bde8333f852120ab40710545b3f799300

    SHA256

    b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

    SHA512

    a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

  • C:\Users\Admin\AppData\Local\Temp\dytvqp.exe
    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • C:\Users\Admin\AppData\Local\Temp\dytvqp.exe
    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • C:\Users\Admin\AppData\Local\Temp\kespior.rfy
    MD5

    c3949144bb72c297522c2e6fdcdbea57

    SHA1

    4a371154a20b528fa05c4fa2eef1750c9db5ac72

    SHA256

    06c107c749c694657cb4db1d1435b1900b8a7a6865f749922a0566e281061129

    SHA512

    1cc83e93665080aebb47ae169f6f3c7dfe349fa9f49ce3a0b81ac9c6b77a49656742125e9d4fd201ca94a1a5a7c7f4eb260e451e54e7960518ba2ec17ff855d5

  • C:\Users\Admin\AppData\Local\Temp\owxklbaafv.toy
    MD5

    2f94a5162c3f9ff2d64f3070fc744cf1

    SHA1

    1cea9317442d006b88764988190d43c9204a4e21

    SHA256

    f5a997fa019287568e2eae7bc4712517ee5584c7edf51b5776243d1bbd4d6d3d

    SHA512

    a47a3e13c2144194a77dfe599c064f81b50c2df2bd0b12578f5e6a75b3aebec996d699d1899afc4a3e1edc3151cbb16f6b3625bd912383982c70fa09cab6b9f0

  • memory/2120-8-0x000000000040188B-mapping.dmp
  • memory/2120-11-0x00000000004C0000-0x00000000004C1000-memory.dmp
    Filesize

    4KB

  • memory/2120-10-0x0000000000400000-0x000000000044B000-memory.dmp
    Filesize

    300KB

  • memory/2120-12-0x00000000004C1000-0x00000000004C2000-memory.dmp
    Filesize

    4KB

  • memory/2120-14-0x00000000004C7000-0x00000000004C8000-memory.dmp
    Filesize

    4KB

  • memory/2120-13-0x00000000004C2000-0x00000000004C4000-memory.dmp
    Filesize

    8KB

  • memory/2120-15-0x00000000004C8000-0x00000000004C9000-memory.dmp
    Filesize

    4KB

  • memory/2120-16-0x00000000004CD000-0x00000000004CF000-memory.dmp
    Filesize

    8KB

  • memory/3060-7-0x0000000001750000-0x0000000001752000-memory.dmp
    Filesize

    8KB

  • memory/3060-2-0x0000000000000000-mapping.dmp