Analysis

  • max time kernel
    103s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-04-2021 08:08

General

  • Target

    b9a31ec9cf6084d9ea4543ae5454f6c0.exe

  • Size

    35KB

  • MD5

    b9a31ec9cf6084d9ea4543ae5454f6c0

  • SHA1

    1b8fe311794d5ee7c85930d57e8ee521653342e0

  • SHA256

    9bdd28e639ad1bd0bd8cab6e287279db86d951b1a488786c3435f7a5f39ac383

  • SHA512

    91e0e5ee915b8217a84a85c860f0be6f145cac6188b0de7874d698952b7a1f7fb16cde22cb59a1a2fef5af131f81408ae28161c7ed900f1d75885f9bdb1c138f

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    binatonezx.cf
  • Port:
    587
  • Username:
    arinzelogs@binatonezx.cf
  • Password:
    7213575aceACE@#$

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • AgentTesla Payload 3 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe
    "C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe"
    1⤵
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1680
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1312
    • C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe
      "C:\Users\Admin\AppData\Local\Temp\b9a31ec9cf6084d9ea4543ae5454f6c0.exe"
      2⤵
      • Drops file in Drivers directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:528

Network

MITRE ATT&CK Matrix ATT&CK v6

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

5
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/268-87-0x00000000060C0000-0x00000000060C1000-memory.dmp
    Filesize

    4KB

  • memory/268-88-0x0000000006120000-0x0000000006121000-memory.dmp
    Filesize

    4KB

  • memory/268-74-0x00000000025E0000-0x00000000025E1000-memory.dmp
    Filesize

    4KB

  • memory/268-111-0x0000000006310000-0x0000000006311000-memory.dmp
    Filesize

    4KB

  • memory/268-75-0x0000000001DF0000-0x0000000002A3A000-memory.dmp
    Filesize

    12.3MB

  • memory/268-110-0x0000000006300000-0x0000000006301000-memory.dmp
    Filesize

    4KB

  • memory/268-96-0x00000000061E0000-0x00000000061E1000-memory.dmp
    Filesize

    4KB

  • memory/268-95-0x0000000006240000-0x0000000006241000-memory.dmp
    Filesize

    4KB

  • memory/268-69-0x00000000047A0000-0x00000000047A1000-memory.dmp
    Filesize

    4KB

  • memory/268-86-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

  • memory/268-81-0x0000000006080000-0x0000000006081000-memory.dmp
    Filesize

    4KB

  • memory/268-78-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

  • memory/268-68-0x0000000002130000-0x0000000002131000-memory.dmp
    Filesize

    4KB

  • memory/268-64-0x0000000000000000-mapping.dmp
  • memory/528-72-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

  • memory/528-71-0x000000000043765E-mapping.dmp
  • memory/528-70-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

  • memory/528-77-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
    Filesize

    4KB

  • memory/528-112-0x0000000004BF1000-0x0000000004BF2000-memory.dmp
    Filesize

    4KB

  • memory/1312-67-0x0000000000000000-mapping.dmp
  • memory/1520-66-0x0000000000000000-mapping.dmp
  • memory/1680-62-0x0000000004D60000-0x0000000004D61000-memory.dmp
    Filesize

    4KB

  • memory/1680-59-0x0000000000C40000-0x0000000000C41000-memory.dmp
    Filesize

    4KB

  • memory/1680-61-0x00000000756A1000-0x00000000756A3000-memory.dmp
    Filesize

    8KB

  • memory/1680-63-0x0000000005A40000-0x0000000005AED000-memory.dmp
    Filesize

    692KB