Analysis
-
max time kernel
104s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-01-2021 09:01
Static task
static1
Behavioral task
behavioral1
Sample
3a3270aced9ac5f099542a5318d62e5f.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3a3270aced9ac5f099542a5318d62e5f.exe
Resource
win10v20201028
General
-
Target
3a3270aced9ac5f099542a5318d62e5f.exe
-
Size
936KB
-
MD5
3a3270aced9ac5f099542a5318d62e5f
-
SHA1
77e5ac9bb4f0d95dc40dc2824c8f50f7ddf44ebc
-
SHA256
9a8ffb097e2d4a4788ed1455d23a73e91a8a7b1ae4b9b1152e63fc1f7730ed89
-
SHA512
47df0b24b4ee57b4e474dc6cd8c0501988289a4131a42c718346c98dddfd063f088f7c12ec52c4bc08eca73b76d8104f46eaff8619cead24157bf90dbd51bee1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.godforeu.com - Port:
587 - Username:
[email protected] - Password:
O8k#Pz4sk:w_
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/656-11-0x00000000004374CE-mapping.dmp family_agenttesla behavioral1/memory/656-10-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/656-13-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3a3270aced9ac5f099542a5318d62e5f.exedescription pid process target process PID 1752 set thread context of 656 1752 3a3270aced9ac5f099542a5318d62e5f.exe 3a3270aced9ac5f099542a5318d62e5f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3a3270aced9ac5f099542a5318d62e5f.exepid process 656 3a3270aced9ac5f099542a5318d62e5f.exe 656 3a3270aced9ac5f099542a5318d62e5f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3a3270aced9ac5f099542a5318d62e5f.exedescription pid process Token: SeDebugPrivilege 656 3a3270aced9ac5f099542a5318d62e5f.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
3a3270aced9ac5f099542a5318d62e5f.exedescription pid process target process PID 1752 wrote to memory of 1572 1752 3a3270aced9ac5f099542a5318d62e5f.exe schtasks.exe PID 1752 wrote to memory of 1572 1752 3a3270aced9ac5f099542a5318d62e5f.exe schtasks.exe PID 1752 wrote to memory of 1572 1752 3a3270aced9ac5f099542a5318d62e5f.exe schtasks.exe PID 1752 wrote to memory of 1572 1752 3a3270aced9ac5f099542a5318d62e5f.exe schtasks.exe PID 1752 wrote to memory of 656 1752 3a3270aced9ac5f099542a5318d62e5f.exe 3a3270aced9ac5f099542a5318d62e5f.exe PID 1752 wrote to memory of 656 1752 3a3270aced9ac5f099542a5318d62e5f.exe 3a3270aced9ac5f099542a5318d62e5f.exe PID 1752 wrote to memory of 656 1752 3a3270aced9ac5f099542a5318d62e5f.exe 3a3270aced9ac5f099542a5318d62e5f.exe PID 1752 wrote to memory of 656 1752 3a3270aced9ac5f099542a5318d62e5f.exe 3a3270aced9ac5f099542a5318d62e5f.exe PID 1752 wrote to memory of 656 1752 3a3270aced9ac5f099542a5318d62e5f.exe 3a3270aced9ac5f099542a5318d62e5f.exe PID 1752 wrote to memory of 656 1752 3a3270aced9ac5f099542a5318d62e5f.exe 3a3270aced9ac5f099542a5318d62e5f.exe PID 1752 wrote to memory of 656 1752 3a3270aced9ac5f099542a5318d62e5f.exe 3a3270aced9ac5f099542a5318d62e5f.exe PID 1752 wrote to memory of 656 1752 3a3270aced9ac5f099542a5318d62e5f.exe 3a3270aced9ac5f099542a5318d62e5f.exe PID 1752 wrote to memory of 656 1752 3a3270aced9ac5f099542a5318d62e5f.exe 3a3270aced9ac5f099542a5318d62e5f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OZaawewgVnTHTz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp22DC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp22DC.tmpMD5
abe56ecd00a13f5537aeffc32847f02f
SHA13fafdf503fceef662ac9dfd132c4b709b17cec40
SHA256aee2461db5229794abcd20ae34d085c5fa66c80596c4d7fbbe19701aa578ade8
SHA51243c66fb4b23716002664491a007646039db7ec85d6b6096d0317c708656d04e0fe4b3257ffe322318e7744212400adf65dd5fc415e2eb40f3ba5d05ccd8a15da
-
memory/656-11-0x00000000004374CE-mapping.dmp
-
memory/656-10-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/656-12-0x00000000741E0000-0x00000000748CE000-memory.dmpFilesize
6.9MB
-
memory/656-13-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/656-15-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/1572-8-0x0000000000000000-mapping.dmp
-
memory/1752-2-0x00000000741E0000-0x00000000748CE000-memory.dmpFilesize
6.9MB
-
memory/1752-3-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/1752-5-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/1752-6-0x0000000000AB0000-0x0000000000AB3000-memory.dmpFilesize
12KB
-
memory/1752-7-0x0000000004D70000-0x0000000004DD8000-memory.dmpFilesize
416KB