Analysis
-
max time kernel
147s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-04-2021 18:18
Static task
static1
Behavioral task
behavioral1
Sample
35742.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
35742.exe
Resource
win10v20210410
General
-
Target
35742.exe
-
Size
763KB
-
MD5
475f12cc2635e010575a69ea39b22968
-
SHA1
17ac5e0c5e50808d5bb495d63f478687fdd297ab
-
SHA256
51af0a175f8c7ef9d3e6b06b54ed1c8b4175f21ebac90816c6c36fd0e62ef654
-
SHA512
57be18e887239afd6290715cfd1df6c1afa2e2a6c360c7a7905ddffe13cb669624092b2adb3d2452d95b6c9b5502d2319d03e52bb4c704f291ab81042aa70854
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://45.141.152.18/ - Port:
21 - Username:
[email protected] - Password:
wTk4W1Uhkp5u
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/860-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/860-69-0x000000000043760E-mapping.dmp family_agenttesla behavioral1/memory/860-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
35742.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\hZpzJs = "C:\\Users\\Admin\\AppData\\Roaming\\hZpzJs\\hZpzJs.exe" 35742.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
35742.exedescription pid process target process PID 1084 set thread context of 860 1084 35742.exe 35742.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
35742.exe35742.exepid process 1084 35742.exe 1084 35742.exe 1084 35742.exe 860 35742.exe 860 35742.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
35742.exepid process 860 35742.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
35742.exe35742.exedescription pid process Token: SeDebugPrivilege 1084 35742.exe Token: SeDebugPrivilege 860 35742.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
35742.exedescription pid process target process PID 1084 wrote to memory of 728 1084 35742.exe schtasks.exe PID 1084 wrote to memory of 728 1084 35742.exe schtasks.exe PID 1084 wrote to memory of 728 1084 35742.exe schtasks.exe PID 1084 wrote to memory of 728 1084 35742.exe schtasks.exe PID 1084 wrote to memory of 860 1084 35742.exe 35742.exe PID 1084 wrote to memory of 860 1084 35742.exe 35742.exe PID 1084 wrote to memory of 860 1084 35742.exe 35742.exe PID 1084 wrote to memory of 860 1084 35742.exe 35742.exe PID 1084 wrote to memory of 860 1084 35742.exe 35742.exe PID 1084 wrote to memory of 860 1084 35742.exe 35742.exe PID 1084 wrote to memory of 860 1084 35742.exe 35742.exe PID 1084 wrote to memory of 860 1084 35742.exe 35742.exe PID 1084 wrote to memory of 860 1084 35742.exe 35742.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35742.exe"C:\Users\Admin\AppData\Local\Temp\35742.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rveyuOyOEbQqxH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA709.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\35742.exe"C:\Users\Admin\AppData\Local\Temp\35742.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA709.tmpMD5
d66d905443979123a0cd776c1ebfc4a9
SHA1a33e63c2f04e8001fca5f73524e5a2f1b712d1e5
SHA2566d4543861856668d9f94396fdb5aa28332ccd235afa5aa41fadec01e3e70e0b1
SHA512168bad4bca2a8395522d5d2b327065c1baafbbabe162841bfdb8ae78da836b1fb51bd6a62e23fa06bb4a9e8c2e18bdf44e5d961d9285714aea9d2f7b7932672d
-
memory/728-66-0x0000000000000000-mapping.dmp
-
memory/860-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/860-69-0x000000000043760E-mapping.dmp
-
memory/860-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/860-72-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/1084-60-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/1084-62-0x0000000004550000-0x0000000004551000-memory.dmpFilesize
4KB
-
memory/1084-63-0x0000000000440000-0x0000000000449000-memory.dmpFilesize
36KB
-
memory/1084-64-0x0000000005C90000-0x0000000005D14000-memory.dmpFilesize
528KB
-
memory/1084-65-0x0000000004590000-0x00000000045D8000-memory.dmpFilesize
288KB