Analysis
-
max time kernel
112s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 08:42
Static task
static1
Behavioral task
behavioral1
Sample
SOA MARCH 2021.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
SOA MARCH 2021.exe
Resource
win10v20210408
General
-
Target
SOA MARCH 2021.exe
-
Size
724KB
-
MD5
33c12d55fd798df965c7ade79fab99b2
-
SHA1
d05278f2b8b9d3d47aaccb8c8a2f26d06e5548c0
-
SHA256
c41ed5dd41446e88d3d14ccab8d52c7581c6d09dc6ce14c05866384ac5a1ee37
-
SHA512
7aaca413b132073865762e0f60560b1f2540ae1f920c508d64872d84cfe2598b35327e8ab440fbed2c6c98cdde4421363533d8bc475469cd6f28eff04f521220
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
Ricardo2021@vivaldi.net - Password:
Qwerty2020Hp##
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/808-66-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/808-67-0x00000000004374CE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA MARCH 2021.exedescription pid process target process PID 2004 set thread context of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SOA MARCH 2021.exeSOA MARCH 2021.exepid process 2004 SOA MARCH 2021.exe 2004 SOA MARCH 2021.exe 2004 SOA MARCH 2021.exe 808 SOA MARCH 2021.exe 808 SOA MARCH 2021.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SOA MARCH 2021.exeSOA MARCH 2021.exedescription pid process Token: SeDebugPrivilege 2004 SOA MARCH 2021.exe Token: SeDebugPrivilege 808 SOA MARCH 2021.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SOA MARCH 2021.exeSOA MARCH 2021.exedescription pid process target process PID 2004 wrote to memory of 772 2004 SOA MARCH 2021.exe schtasks.exe PID 2004 wrote to memory of 772 2004 SOA MARCH 2021.exe schtasks.exe PID 2004 wrote to memory of 772 2004 SOA MARCH 2021.exe schtasks.exe PID 2004 wrote to memory of 772 2004 SOA MARCH 2021.exe schtasks.exe PID 2004 wrote to memory of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe PID 2004 wrote to memory of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe PID 2004 wrote to memory of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe PID 2004 wrote to memory of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe PID 2004 wrote to memory of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe PID 2004 wrote to memory of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe PID 2004 wrote to memory of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe PID 2004 wrote to memory of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe PID 2004 wrote to memory of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe PID 808 wrote to memory of 1452 808 SOA MARCH 2021.exe dw20.exe PID 808 wrote to memory of 1452 808 SOA MARCH 2021.exe dw20.exe PID 808 wrote to memory of 1452 808 SOA MARCH 2021.exe dw20.exe PID 808 wrote to memory of 1452 808 SOA MARCH 2021.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe"C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uWJTdif" /XML "C:\Users\Admin\AppData\Local\Temp\tmp956C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe"C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5203⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp956C.tmpMD5
e40754dafa2b4bd7ba1a6374c3e1f9b3
SHA1dcf88c6876b4a45529c5b04a9de4c2f68a45e0a4
SHA2569c6b256ea0e574b267db1c7adcb023e83b3dfedb599b5f7ebb5fb61d44445fb2
SHA512bdf1e1d263f1f581d006dd95e728970c987964e3e3e3c5bd5e0a79b514cc4744545eda2535ac1cd9d2c517d79a82f6b385f7c6afdf815ffc8dd257d99a8bb365
-
memory/772-64-0x0000000000000000-mapping.dmp
-
memory/808-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/808-67-0x00000000004374CE-mapping.dmp
-
memory/808-69-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1452-70-0x0000000000000000-mapping.dmp
-
memory/1452-72-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2004-60-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/2004-61-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2004-62-0x0000000000231000-0x0000000000232000-memory.dmpFilesize
4KB
-
memory/2004-63-0x000000007EF50000-0x000000007EF51000-memory.dmpFilesize
4KB