Analysis
-
max time kernel
130s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
Q88_Bulk Carrier.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Q88_Bulk Carrier.exe
Resource
win10v20201028
General
-
Target
Q88_Bulk Carrier.exe
-
Size
525KB
-
MD5
2fe4b829f1cfa6c3183a1e0391309eb0
-
SHA1
14c56282c5a43cd9b33f5f90eaaf6953526e9b75
-
SHA256
3f0fa5c8ebb2640afc948bfd5c8bb0ba644222b3bc15c095085d718843d59915
-
SHA512
2dc7fe45124b72e65a5f89aea0a54e8f630b061635c5375c3a504b93d0136a51ac8e42906eb0806930a1445629d63cb0e33c14b53cc17b95c4cb6cf5ae9f4920
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.hyshippingcn.com - Port:
587 - Username:
plogs112@hyshippingcn.com - Password:
e*u@qkS4
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4584-20-0x000000000043763E-mapping.dmp family_agenttesla behavioral2/memory/4584-19-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Nirsoft 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepid process 3176 AdvancedRun.exe 4192 AdvancedRun.exe 3288 AdvancedRun.exe 3372 AdvancedRun.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org 17 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Q88_Bulk Carrier.exedescription pid process target process PID 4764 set thread context of 4584 4764 Q88_Bulk Carrier.exe Q88_Bulk Carrier.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeQ88_Bulk Carrier.exeQ88_Bulk Carrier.exepid process 3176 AdvancedRun.exe 3176 AdvancedRun.exe 3176 AdvancedRun.exe 3176 AdvancedRun.exe 4192 AdvancedRun.exe 4192 AdvancedRun.exe 4192 AdvancedRun.exe 4192 AdvancedRun.exe 3288 AdvancedRun.exe 3288 AdvancedRun.exe 3288 AdvancedRun.exe 3288 AdvancedRun.exe 3372 AdvancedRun.exe 3372 AdvancedRun.exe 3372 AdvancedRun.exe 3372 AdvancedRun.exe 4764 Q88_Bulk Carrier.exe 4764 Q88_Bulk Carrier.exe 4584 Q88_Bulk Carrier.exe 4584 Q88_Bulk Carrier.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeQ88_Bulk Carrier.exeQ88_Bulk Carrier.exedescription pid process Token: SeDebugPrivilege 3176 AdvancedRun.exe Token: SeImpersonatePrivilege 3176 AdvancedRun.exe Token: SeDebugPrivilege 4192 AdvancedRun.exe Token: SeImpersonatePrivilege 4192 AdvancedRun.exe Token: SeDebugPrivilege 3288 AdvancedRun.exe Token: SeImpersonatePrivilege 3288 AdvancedRun.exe Token: SeDebugPrivilege 3372 AdvancedRun.exe Token: SeImpersonatePrivilege 3372 AdvancedRun.exe Token: SeDebugPrivilege 4764 Q88_Bulk Carrier.exe Token: SeDebugPrivilege 4584 Q88_Bulk Carrier.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Q88_Bulk Carrier.exeAdvancedRun.exeAdvancedRun.exedescription pid process target process PID 4764 wrote to memory of 3176 4764 Q88_Bulk Carrier.exe AdvancedRun.exe PID 4764 wrote to memory of 3176 4764 Q88_Bulk Carrier.exe AdvancedRun.exe PID 4764 wrote to memory of 3176 4764 Q88_Bulk Carrier.exe AdvancedRun.exe PID 3176 wrote to memory of 4192 3176 AdvancedRun.exe AdvancedRun.exe PID 3176 wrote to memory of 4192 3176 AdvancedRun.exe AdvancedRun.exe PID 3176 wrote to memory of 4192 3176 AdvancedRun.exe AdvancedRun.exe PID 4764 wrote to memory of 3288 4764 Q88_Bulk Carrier.exe AdvancedRun.exe PID 4764 wrote to memory of 3288 4764 Q88_Bulk Carrier.exe AdvancedRun.exe PID 4764 wrote to memory of 3288 4764 Q88_Bulk Carrier.exe AdvancedRun.exe PID 3288 wrote to memory of 3372 3288 AdvancedRun.exe AdvancedRun.exe PID 3288 wrote to memory of 3372 3288 AdvancedRun.exe AdvancedRun.exe PID 3288 wrote to memory of 3372 3288 AdvancedRun.exe AdvancedRun.exe PID 4764 wrote to memory of 4584 4764 Q88_Bulk Carrier.exe Q88_Bulk Carrier.exe PID 4764 wrote to memory of 4584 4764 Q88_Bulk Carrier.exe Q88_Bulk Carrier.exe PID 4764 wrote to memory of 4584 4764 Q88_Bulk Carrier.exe Q88_Bulk Carrier.exe PID 4764 wrote to memory of 4584 4764 Q88_Bulk Carrier.exe Q88_Bulk Carrier.exe PID 4764 wrote to memory of 4584 4764 Q88_Bulk Carrier.exe Q88_Bulk Carrier.exe PID 4764 wrote to memory of 4584 4764 Q88_Bulk Carrier.exe Q88_Bulk Carrier.exe PID 4764 wrote to memory of 4584 4764 Q88_Bulk Carrier.exe Q88_Bulk Carrier.exe PID 4764 wrote to memory of 4584 4764 Q88_Bulk Carrier.exe Q88_Bulk Carrier.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Q88_Bulk Carrier.exe"C:\Users\Admin\AppData\Local\Temp\Q88_Bulk Carrier.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 31763⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 32883⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Q88_Bulk Carrier.exe"C:\Users\Admin\AppData\Local\Temp\Q88_Bulk Carrier.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q88_Bulk Carrier.exe.logMD5
4f9330dcb7e8730af9341cfdf0d8030f
SHA167daaf17560b15fe1d861139bce85a3ff6dbed23
SHA2561c25f424605d0e3ccf1ec077c36b3d2c89aa628521d10df851c2ff7689ad4617
SHA512e3becfad18409be0797d172e8b1364775726f9d33d8f125c87656a829b0c0c86fcec433db4446371e68530c0d7cb594fdcf28bb75e1f5d4fba64fe38329d9a40
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/3176-9-0x0000000000000000-mapping.dmp
-
memory/3288-15-0x0000000000000000-mapping.dmp
-
memory/3372-17-0x0000000000000000-mapping.dmp
-
memory/4192-13-0x0000000000000000-mapping.dmp
-
memory/4584-22-0x0000000073370000-0x0000000073A5E000-memory.dmpFilesize
6.9MB
-
memory/4584-32-0x0000000005781000-0x0000000005782000-memory.dmpFilesize
4KB
-
memory/4584-31-0x0000000001520000-0x0000000001521000-memory.dmpFilesize
4KB
-
memory/4584-30-0x0000000006F90000-0x0000000006F91000-memory.dmpFilesize
4KB
-
memory/4584-28-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/4584-27-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/4584-20-0x000000000043763E-mapping.dmp
-
memory/4584-19-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4584-26-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/4764-7-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/4764-3-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/4764-5-0x0000000002CA0000-0x0000000002CA2000-memory.dmpFilesize
8KB
-
memory/4764-6-0x00000000053D0000-0x0000000005423000-memory.dmpFilesize
332KB
-
memory/4764-2-0x0000000073370000-0x0000000073A5E000-memory.dmpFilesize
6.9MB
-
memory/4764-8-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/4764-11-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB