Analysis
-
max time kernel
147s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-01-2021 10:16
Static task
static1
Behavioral task
behavioral1
Sample
0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
Resource
win10v20201028
General
-
Target
0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
-
Size
1.2MB
-
MD5
eef6884d0bb02a34de95bae6f9a73d96
-
SHA1
ca4b15eb51c602c16389947716fee3e143e739ef
-
SHA256
0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7
-
SHA512
3bbce19ddaa9d7494d9cfcebe20c3e5fbe0aecdb6bc419b01f392291060ba53b4b03020e19e9442c35122744b5df7c48829740ec1d7def9d186d01a51a3e5b30
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.hybridgroupco.com - Port:
587 - Username:
[email protected] - Password:
y.NI13R&oE(,
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2096-14-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2096-15-0x000000000043760E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exedescription pid process target process PID 756 set thread context of 2096 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exepid process 2096 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe 2096 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exedescription pid process Token: SeDebugPrivilege 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe Token: SeDebugPrivilege 2096 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exedescription pid process target process PID 756 wrote to memory of 1452 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe schtasks.exe PID 756 wrote to memory of 1452 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe schtasks.exe PID 756 wrote to memory of 1452 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe schtasks.exe PID 756 wrote to memory of 2096 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe PID 756 wrote to memory of 2096 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe PID 756 wrote to memory of 2096 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe PID 756 wrote to memory of 2096 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe PID 756 wrote to memory of 2096 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe PID 756 wrote to memory of 2096 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe PID 756 wrote to memory of 2096 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe PID 756 wrote to memory of 2096 756 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe"C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cGAmxwwzOQQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C14.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe"C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe.logMD5
c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
C:\Users\Admin\AppData\Local\Temp\tmp1C14.tmpMD5
5adb888d8e90fa8343490e4bf01eac1e
SHA1fedc1415096870dbfc3a6c6ac4e53adea3db0fa1
SHA256e12d684255b823a8b4258ce2c4d5ac91c3d004afec6b621321b9b671fa946dd5
SHA5127e48d5aba485e66e1820aea0fc59d321f19ff8bd7cee7f9bd271de8b9514b4d812e0b8a4f2e751961c580e2ea6fb9013a0e3000246fc1937d1568c3455cd4009
-
memory/756-11-0x0000000006150000-0x00000000061F7000-memory.dmpFilesize
668KB
-
memory/756-3-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/756-7-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/756-8-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/756-9-0x00000000053F0000-0x00000000053F3000-memory.dmpFilesize
12KB
-
memory/756-10-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/756-2-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/756-6-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/756-5-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/1452-12-0x0000000000000000-mapping.dmp
-
memory/2096-15-0x000000000043760E-mapping.dmp
-
memory/2096-14-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2096-17-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/2096-22-0x0000000002A20000-0x0000000002A21000-memory.dmpFilesize
4KB
-
memory/2096-23-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/2096-24-0x0000000005C20000-0x0000000005C21000-memory.dmpFilesize
4KB