Analysis
-
max time kernel
147s -
max time network
83s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-02-2021 19:31
Static task
static1
Behavioral task
behavioral1
Sample
KIS PRODUKT FIRST ORDER .exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
KIS PRODUKT FIRST ORDER .exe
Resource
win10v20201028
General
-
Target
KIS PRODUKT FIRST ORDER .exe
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
GODBLESSUS123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1608-11-0x000000000043749E-mapping.dmp family_agenttesla behavioral1/memory/1608-10-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1608-13-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KIS PRODUKT FIRST ORDER .exedescription pid process target process PID 892 set thread context of 1608 892 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
KIS PRODUKT FIRST ORDER .exeKIS PRODUKT FIRST ORDER .exepid process 892 KIS PRODUKT FIRST ORDER .exe 1608 KIS PRODUKT FIRST ORDER .exe 1608 KIS PRODUKT FIRST ORDER .exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
KIS PRODUKT FIRST ORDER .exeKIS PRODUKT FIRST ORDER .exedescription pid process Token: SeDebugPrivilege 892 KIS PRODUKT FIRST ORDER .exe Token: SeDebugPrivilege 1608 KIS PRODUKT FIRST ORDER .exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
KIS PRODUKT FIRST ORDER .exedescription pid process target process PID 892 wrote to memory of 268 892 KIS PRODUKT FIRST ORDER .exe schtasks.exe PID 892 wrote to memory of 268 892 KIS PRODUKT FIRST ORDER .exe schtasks.exe PID 892 wrote to memory of 268 892 KIS PRODUKT FIRST ORDER .exe schtasks.exe PID 892 wrote to memory of 268 892 KIS PRODUKT FIRST ORDER .exe schtasks.exe PID 892 wrote to memory of 1608 892 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 892 wrote to memory of 1608 892 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 892 wrote to memory of 1608 892 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 892 wrote to memory of 1608 892 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 892 wrote to memory of 1608 892 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 892 wrote to memory of 1608 892 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 892 wrote to memory of 1608 892 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 892 wrote to memory of 1608 892 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 892 wrote to memory of 1608 892 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KIS PRODUKT FIRST ORDER .exe"C:\Users\Admin\AppData\Local\Temp\KIS PRODUKT FIRST ORDER .exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FUZTIPBuHg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp51D8.tmp"2⤵
- Creates scheduled task(s)
PID:268 -
C:\Users\Admin\AppData\Local\Temp\KIS PRODUKT FIRST ORDER .exe"C:\Users\Admin\AppData\Local\Temp\KIS PRODUKT FIRST ORDER .exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp51D8.tmpMD5
368e143f4576ed21b14efb5680578791
SHA1a648b00100a9bec62abffa0d8eb4babbea70ba49
SHA2569e8f27a2269a1d5dbd59e955548933c817e8f35ab1e22e3e3edf5d4e29401454
SHA5126cfffa20f36a35d41b09105c9707346e9f436704038581fc29cec99a27440d3f0a53c795a6df72823575b87d2ed054712bfa040eb751d5dca441844063d9c485
-
memory/268-8-0x0000000000000000-mapping.dmp
-
memory/892-2-0x0000000074520000-0x0000000074C0E000-memory.dmpFilesize
6.9MB
-
memory/892-3-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/892-5-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/892-6-0x0000000000480000-0x0000000000483000-memory.dmpFilesize
12KB
-
memory/892-7-0x0000000004340000-0x000000000439C000-memory.dmpFilesize
368KB
-
memory/1608-11-0x000000000043749E-mapping.dmp
-
memory/1608-10-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1608-12-0x0000000074520000-0x0000000074C0E000-memory.dmpFilesize
6.9MB
-
memory/1608-13-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1608-15-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB