Analysis
-
max time kernel
149s -
max time network
70s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-02-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.32289.26241.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.32289.26241.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Win32.32289.26241.exe
-
Size
511KB
-
MD5
c59f71a02c13a01d95bf37c095895748
-
SHA1
59c60b6a90cec4676afcc55a1397409e9d54b792
-
SHA256
983c358590898925db49d1d6a731b54d37c76760267664be45a7dc00646cff60
-
SHA512
f3ce51dfaefb5ca303c9facf646581af0ca7e823a0bc1f13bbd927a394ba701a82a5d188726fb6c6471928d1d2469b499654520fb5eadf264f8d0b49cd5059a0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
jason.samtani@rxcleco.com - Password:
@Mexico1.,
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/900-15-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/900-16-0x000000000043749E-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.32289.26241.exedescription pid process target process PID 1036 set thread context of 900 1036 SecuriteInfo.com.Win32.32289.26241.exe SecuriteInfo.com.Win32.32289.26241.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SecuriteInfo.com.Win32.32289.26241.exeSecuriteInfo.com.Win32.32289.26241.exepid process 1036 SecuriteInfo.com.Win32.32289.26241.exe 900 SecuriteInfo.com.Win32.32289.26241.exe 900 SecuriteInfo.com.Win32.32289.26241.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Win32.32289.26241.exeSecuriteInfo.com.Win32.32289.26241.exedescription pid process Token: SeDebugPrivilege 1036 SecuriteInfo.com.Win32.32289.26241.exe Token: SeDebugPrivilege 900 SecuriteInfo.com.Win32.32289.26241.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SecuriteInfo.com.Win32.32289.26241.exedescription pid process target process PID 1036 wrote to memory of 3448 1036 SecuriteInfo.com.Win32.32289.26241.exe schtasks.exe PID 1036 wrote to memory of 3448 1036 SecuriteInfo.com.Win32.32289.26241.exe schtasks.exe PID 1036 wrote to memory of 3448 1036 SecuriteInfo.com.Win32.32289.26241.exe schtasks.exe PID 1036 wrote to memory of 900 1036 SecuriteInfo.com.Win32.32289.26241.exe SecuriteInfo.com.Win32.32289.26241.exe PID 1036 wrote to memory of 900 1036 SecuriteInfo.com.Win32.32289.26241.exe SecuriteInfo.com.Win32.32289.26241.exe PID 1036 wrote to memory of 900 1036 SecuriteInfo.com.Win32.32289.26241.exe SecuriteInfo.com.Win32.32289.26241.exe PID 1036 wrote to memory of 900 1036 SecuriteInfo.com.Win32.32289.26241.exe SecuriteInfo.com.Win32.32289.26241.exe PID 1036 wrote to memory of 900 1036 SecuriteInfo.com.Win32.32289.26241.exe SecuriteInfo.com.Win32.32289.26241.exe PID 1036 wrote to memory of 900 1036 SecuriteInfo.com.Win32.32289.26241.exe SecuriteInfo.com.Win32.32289.26241.exe PID 1036 wrote to memory of 900 1036 SecuriteInfo.com.Win32.32289.26241.exe SecuriteInfo.com.Win32.32289.26241.exe PID 1036 wrote to memory of 900 1036 SecuriteInfo.com.Win32.32289.26241.exe SecuriteInfo.com.Win32.32289.26241.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.32289.26241.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.32289.26241.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\avJawOiuQtyAB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FCD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.32289.26241.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.32289.26241.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6FCD.tmpMD5
ae7b6e4ad47fa83a1e5e23a79356178d
SHA1884d0e57e221ded189fc611308ebd03942b3ddb6
SHA256ab3c826dd391006a70afb1bbde4527ad0afb483d3055fc16e922d5afb9305997
SHA51201e3ff118c0c16e8d2e5a46c72f240fd5d26f94d1e3e8ed42757a3d20f6418615b1fef7642efe9bfbe5d89ec417824b65e6eabc7291d238e1f5f43a534b1570d
-
memory/900-24-0x0000000005D20000-0x0000000005D21000-memory.dmpFilesize
4KB
-
memory/900-23-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/900-22-0x0000000002B70000-0x0000000002B71000-memory.dmpFilesize
4KB
-
memory/900-17-0x0000000073290000-0x000000007397E000-memory.dmpFilesize
6.9MB
-
memory/900-16-0x000000000043749E-mapping.dmp
-
memory/900-15-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1036-7-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/1036-11-0x0000000004F40000-0x0000000004F43000-memory.dmpFilesize
12KB
-
memory/1036-12-0x0000000006F50000-0x0000000006FAE000-memory.dmpFilesize
376KB
-
memory/1036-10-0x00000000026B0000-0x00000000026B1000-memory.dmpFilesize
4KB
-
memory/1036-9-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/1036-8-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/1036-2-0x0000000073290000-0x000000007397E000-memory.dmpFilesize
6.9MB
-
memory/1036-6-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/1036-5-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB
-
memory/1036-3-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/3448-13-0x0000000000000000-mapping.dmp