Analysis
-
max time kernel
149s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-02-2021 19:31
Static task
static1
Behavioral task
behavioral1
Sample
KIS PRODUKT FIRST ORDER .exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
KIS PRODUKT FIRST ORDER .exe
Resource
win10v20201028
General
-
Target
KIS PRODUKT FIRST ORDER .exe
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
GODBLESSUS123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3628-15-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3628-16-0x000000000043749E-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KIS PRODUKT FIRST ORDER .exedescription pid process target process PID 984 set thread context of 3628 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
KIS PRODUKT FIRST ORDER .exeKIS PRODUKT FIRST ORDER .exepid process 984 KIS PRODUKT FIRST ORDER .exe 984 KIS PRODUKT FIRST ORDER .exe 984 KIS PRODUKT FIRST ORDER .exe 3628 KIS PRODUKT FIRST ORDER .exe 3628 KIS PRODUKT FIRST ORDER .exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
KIS PRODUKT FIRST ORDER .exeKIS PRODUKT FIRST ORDER .exedescription pid process Token: SeDebugPrivilege 984 KIS PRODUKT FIRST ORDER .exe Token: SeDebugPrivilege 3628 KIS PRODUKT FIRST ORDER .exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
KIS PRODUKT FIRST ORDER .exedescription pid process target process PID 984 wrote to memory of 2612 984 KIS PRODUKT FIRST ORDER .exe schtasks.exe PID 984 wrote to memory of 2612 984 KIS PRODUKT FIRST ORDER .exe schtasks.exe PID 984 wrote to memory of 2612 984 KIS PRODUKT FIRST ORDER .exe schtasks.exe PID 984 wrote to memory of 492 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 984 wrote to memory of 492 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 984 wrote to memory of 492 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 984 wrote to memory of 3628 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 984 wrote to memory of 3628 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 984 wrote to memory of 3628 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 984 wrote to memory of 3628 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 984 wrote to memory of 3628 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 984 wrote to memory of 3628 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 984 wrote to memory of 3628 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe PID 984 wrote to memory of 3628 984 KIS PRODUKT FIRST ORDER .exe KIS PRODUKT FIRST ORDER .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KIS PRODUKT FIRST ORDER .exe"C:\Users\Admin\AppData\Local\Temp\KIS PRODUKT FIRST ORDER .exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FUZTIPBuHg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp75A9.tmp"2⤵
- Creates scheduled task(s)
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\KIS PRODUKT FIRST ORDER .exe"C:\Users\Admin\AppData\Local\Temp\KIS PRODUKT FIRST ORDER .exe"2⤵PID:492
-
C:\Users\Admin\AppData\Local\Temp\KIS PRODUKT FIRST ORDER .exe"C:\Users\Admin\AppData\Local\Temp\KIS PRODUKT FIRST ORDER .exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp75A9.tmpMD5
d1b52fb0a5049ef71a27ee64197bc08c
SHA1e1084daa9b4e14ca263de3bae8ba50bf65d66b79
SHA2569648926c34d22f82d803d3cc838d4d8b0756601a70507352adb8ccb72083fe79
SHA512efdd72b12c5d430330cf80586da05468f5d8b44710e27325909a16c5b17e6b4900ee53fbe412514d54f7b6e5e905d6ccd853af7d25423181554a1ffc1938d331
-
memory/984-11-0x0000000005280000-0x0000000005283000-memory.dmpFilesize
12KB
-
memory/984-8-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/984-12-0x0000000006B70000-0x0000000006BCC000-memory.dmpFilesize
368KB
-
memory/984-7-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/984-2-0x0000000073800000-0x0000000073EEE000-memory.dmpFilesize
6.9MB
-
memory/984-9-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/984-10-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/984-3-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/984-6-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/984-5-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/2612-13-0x0000000000000000-mapping.dmp
-
memory/3628-15-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3628-16-0x000000000043749E-mapping.dmp
-
memory/3628-17-0x0000000073800000-0x0000000073EEE000-memory.dmpFilesize
6.9MB
-
memory/3628-22-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/3628-23-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/3628-24-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB