Analysis
-
max time kernel
144s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-02-2021 19:51
Static task
static1
Behavioral task
behavioral1
Sample
Messages Alert.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Messages Alert.exe
Resource
win10v20201028
General
-
Target
Messages Alert.exe
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com/ - Port:
21 - Username:
zinco - Password:
computer147
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3996-14-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3996-15-0x00000000004375DE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Messages Alert.exedescription pid process target process PID 1036 set thread context of 3996 1036 Messages Alert.exe Messages Alert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Messages Alert.exeMessages Alert.exepid process 1036 Messages Alert.exe 1036 Messages Alert.exe 1036 Messages Alert.exe 1036 Messages Alert.exe 3996 Messages Alert.exe 3996 Messages Alert.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Messages Alert.exepid process 3996 Messages Alert.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Messages Alert.exeMessages Alert.exedescription pid process Token: SeDebugPrivilege 1036 Messages Alert.exe Token: SeDebugPrivilege 3996 Messages Alert.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Messages Alert.exedescription pid process target process PID 1036 wrote to memory of 1504 1036 Messages Alert.exe schtasks.exe PID 1036 wrote to memory of 1504 1036 Messages Alert.exe schtasks.exe PID 1036 wrote to memory of 1504 1036 Messages Alert.exe schtasks.exe PID 1036 wrote to memory of 732 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 732 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 732 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 744 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 744 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 744 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 3996 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 3996 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 3996 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 3996 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 3996 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 3996 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 3996 1036 Messages Alert.exe Messages Alert.exe PID 1036 wrote to memory of 3996 1036 Messages Alert.exe Messages Alert.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bEAtZomlY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD68B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"C:\Users\Admin\AppData\Local\Temp\Messages Alert.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Messages Alert.exe.logMD5
c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
C:\Users\Admin\AppData\Local\Temp\tmpD68B.tmpMD5
2313f6255ae463759cde9e7f2fc10f8b
SHA16a95234107646a9e5250a147a0043b11c19123a9
SHA2562fe8dbfabdf424446d567b3a410415e296fb1ef52011bfce46bee52ea9c99c39
SHA5124ebb1ce9c44cc869831ab78eb2814dcc06e66f5636543a538bca48488f9427dd7bcd0a954a7a6f132b1288402e4ccd94d64dc685f928ccd39884de3ac8ba20eb
-
memory/1036-11-0x0000000006690000-0x00000000066EC000-memory.dmpFilesize
368KB
-
memory/1036-3-0x0000000000040000-0x0000000000041000-memory.dmpFilesize
4KB
-
memory/1036-7-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/1036-8-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/1036-9-0x0000000004930000-0x0000000004931000-memory.dmpFilesize
4KB
-
memory/1036-10-0x0000000004C10000-0x0000000004C13000-memory.dmpFilesize
12KB
-
memory/1036-2-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/1036-6-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/1036-5-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/1504-12-0x0000000000000000-mapping.dmp
-
memory/3996-15-0x00000000004375DE-mapping.dmp
-
memory/3996-14-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3996-17-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/3996-22-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/3996-23-0x0000000005EC0000-0x0000000005EC1000-memory.dmpFilesize
4KB
-
memory/3996-24-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB