Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-02-2021 15:14
Static task
static1
Behavioral task
behavioral1
Sample
9a19ab56f524f1aaa8ec1a76f2f32bd6.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
9a19ab56f524f1aaa8ec1a76f2f32bd6.exe
Resource
win10v20201028
General
-
Target
9a19ab56f524f1aaa8ec1a76f2f32bd6.exe
-
Size
732KB
-
MD5
9a19ab56f524f1aaa8ec1a76f2f32bd6
-
SHA1
1ac24f29be30bc847ce9b0d281fed839da401a1f
-
SHA256
9d58455a3680d9059743a60fb93d4c8c5a90fbc53815172059f323b902db412b
-
SHA512
affd7569a5f64225097684929c42ed6d3902b4a46eb078c1fc08a95fc7b2980ce8e49f08a941a1b8ac6956d120a1e776b81a795e742dbffaee6ddb5c53071657
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.risjs.com - Port:
587 - Username:
rongsheng@risjs.com - Password:
rekbcOs0
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/268-10-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/268-11-0x000000000044CFAE-mapping.dmp family_agenttesla behavioral1/memory/268-13-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
9a19ab56f524f1aaa8ec1a76f2f32bd6.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
9a19ab56f524f1aaa8ec1a76f2f32bd6.exedescription pid process target process PID 2008 set thread context of 268 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9a19ab56f524f1aaa8ec1a76f2f32bd6.exepid process 268 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 268 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9a19ab56f524f1aaa8ec1a76f2f32bd6.exedescription pid process Token: SeDebugPrivilege 268 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
9a19ab56f524f1aaa8ec1a76f2f32bd6.exe9a19ab56f524f1aaa8ec1a76f2f32bd6.exedescription pid process target process PID 2008 wrote to memory of 1672 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe schtasks.exe PID 2008 wrote to memory of 1672 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe schtasks.exe PID 2008 wrote to memory of 1672 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe schtasks.exe PID 2008 wrote to memory of 1672 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe schtasks.exe PID 2008 wrote to memory of 268 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe PID 2008 wrote to memory of 268 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe PID 2008 wrote to memory of 268 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe PID 2008 wrote to memory of 268 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe PID 2008 wrote to memory of 268 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe PID 2008 wrote to memory of 268 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe PID 2008 wrote to memory of 268 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe PID 2008 wrote to memory of 268 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe PID 2008 wrote to memory of 268 2008 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe PID 268 wrote to memory of 1188 268 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe netsh.exe PID 268 wrote to memory of 1188 268 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe netsh.exe PID 268 wrote to memory of 1188 268 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe netsh.exe PID 268 wrote to memory of 1188 268 9a19ab56f524f1aaa8ec1a76f2f32bd6.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a19ab56f524f1aaa8ec1a76f2f32bd6.exe"C:\Users\Admin\AppData\Local\Temp\9a19ab56f524f1aaa8ec1a76f2f32bd6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WWnAzxgBF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB7E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\9a19ab56f524f1aaa8ec1a76f2f32bd6.exe"{path}"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFB7E.tmpMD5
870c6bc30a78efe9ad849ee74a2faebc
SHA1680fd0c671f99638527086fcb6f62723b61dbf53
SHA2565cb3e4fb9c3d06ceb3858c6b34ad8713cf1dfae98e336c2fb1175ad8a40dbc4e
SHA51223739d0e2d25541e615895728cf01b34aafe31b55a30398ebd46b994366dff964ecb074e6205485543d14fde4a690307efda481f8706232b4b4c2ee6011108ad
-
memory/268-12-0x0000000073AF0000-0x00000000741DE000-memory.dmpFilesize
6.9MB
-
memory/268-15-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/268-18-0x0000000004DE1000-0x0000000004DE2000-memory.dmpFilesize
4KB
-
memory/268-13-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/268-11-0x000000000044CFAE-mapping.dmp
-
memory/268-10-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1188-16-0x0000000000000000-mapping.dmp
-
memory/1188-17-0x0000000075EA1000-0x0000000075EA3000-memory.dmpFilesize
8KB
-
memory/1672-8-0x0000000000000000-mapping.dmp
-
memory/2008-3-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/2008-2-0x0000000073AF0000-0x00000000741DE000-memory.dmpFilesize
6.9MB
-
memory/2008-7-0x0000000005CE0000-0x0000000005D79000-memory.dmpFilesize
612KB
-
memory/2008-5-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/2008-6-0x00000000003A0000-0x00000000003AB000-memory.dmpFilesize
44KB