Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 13:37
Static task
static1
Behavioral task
behavioral1
Sample
ecfd2213123a0a0e27c0530e35c7fa2f.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ecfd2213123a0a0e27c0530e35c7fa2f.exe
Resource
win10v20210408
General
-
Target
ecfd2213123a0a0e27c0530e35c7fa2f.exe
-
Size
804KB
-
MD5
ecfd2213123a0a0e27c0530e35c7fa2f
-
SHA1
3dd5d3ff83acecfab13ae1790d5a8b553c88bda2
-
SHA256
89b7ce8de53ccf4aff814e942aa9042022e4644520a09ee1b0b13a429d552ea1
-
SHA512
46b25a93b4db7695e9706f7f213aed9caeee48d4c397bf366b7b31d6f43bdbc2fa785c39f1ad0d543e181984eb0e6516757f90efdc5dc355576eeaaf1ffa5ab9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
sales@julislinq.com - Password:
27!iaL@!U@L5Ma
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/432-67-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/432-68-0x00000000004375EE-mapping.dmp family_agenttesla behavioral1/memory/432-69-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ecfd2213123a0a0e27c0530e35c7fa2f.exedescription pid process target process PID 1096 set thread context of 432 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe ecfd2213123a0a0e27c0530e35c7fa2f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ecfd2213123a0a0e27c0530e35c7fa2f.exepid process 432 ecfd2213123a0a0e27c0530e35c7fa2f.exe 432 ecfd2213123a0a0e27c0530e35c7fa2f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ecfd2213123a0a0e27c0530e35c7fa2f.exedescription pid process Token: SeDebugPrivilege 432 ecfd2213123a0a0e27c0530e35c7fa2f.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ecfd2213123a0a0e27c0530e35c7fa2f.exedescription pid process target process PID 1096 wrote to memory of 1688 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe schtasks.exe PID 1096 wrote to memory of 1688 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe schtasks.exe PID 1096 wrote to memory of 1688 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe schtasks.exe PID 1096 wrote to memory of 1688 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe schtasks.exe PID 1096 wrote to memory of 432 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe ecfd2213123a0a0e27c0530e35c7fa2f.exe PID 1096 wrote to memory of 432 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe ecfd2213123a0a0e27c0530e35c7fa2f.exe PID 1096 wrote to memory of 432 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe ecfd2213123a0a0e27c0530e35c7fa2f.exe PID 1096 wrote to memory of 432 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe ecfd2213123a0a0e27c0530e35c7fa2f.exe PID 1096 wrote to memory of 432 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe ecfd2213123a0a0e27c0530e35c7fa2f.exe PID 1096 wrote to memory of 432 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe ecfd2213123a0a0e27c0530e35c7fa2f.exe PID 1096 wrote to memory of 432 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe ecfd2213123a0a0e27c0530e35c7fa2f.exe PID 1096 wrote to memory of 432 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe ecfd2213123a0a0e27c0530e35c7fa2f.exe PID 1096 wrote to memory of 432 1096 ecfd2213123a0a0e27c0530e35c7fa2f.exe ecfd2213123a0a0e27c0530e35c7fa2f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecfd2213123a0a0e27c0530e35c7fa2f.exe"C:\Users\Admin\AppData\Local\Temp\ecfd2213123a0a0e27c0530e35c7fa2f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sGRCdRKHCW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ecfd2213123a0a0e27c0530e35c7fa2f.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp55E.tmpMD5
f5fb2fbeed3c8ec8f2e9c36215f635fd
SHA14b89b5ce0bd0b633e140f476b5a7d9b9f32115b3
SHA256fd4e0be7971d872759a0bf2ac34dbc1a0e4ea5a6f3ca955649dc46f3c7da7bc3
SHA512d077deab7ef52b273c55e2d0cdb16458816a48b3c39c11f72376f369b95fe06c8dd0f55338ee818746c7dcdb2650c747399426fb35516b21aefa3cbe1cb1e095
-
memory/432-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/432-68-0x00000000004375EE-mapping.dmp
-
memory/432-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/432-71-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/1096-59-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/1096-61-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/1096-62-0x0000000000760000-0x000000000076E000-memory.dmpFilesize
56KB
-
memory/1096-63-0x0000000005850000-0x000000000591B000-memory.dmpFilesize
812KB
-
memory/1096-64-0x0000000004DF0000-0x0000000004E7C000-memory.dmpFilesize
560KB
-
memory/1688-65-0x0000000000000000-mapping.dmp