Analysis

  • max time kernel
    125s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-05-2021 07:47

General

  • Target

    COPY OF N-N.exe

  • Size

    725KB

  • MD5

    e835f5a976ab1d8dd4e4e10813dd2a67

  • SHA1

    68d789fcc36fdd8eb5cbb5b58c55cb1d48174c24

  • SHA256

    c1269286a5b767fbd0b90c97cc06279b08ed094069932c8d17acc4c3144a218b

  • SHA512

    269eac258dd1b830f165b253be7cd533f6a99266fcec1e0c4367eb84098cea0c66bd1b40b0788e57de97e2c387240948d2145abb83230bce1b719360831d080b

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.medamanagement.com
  • Port:
    587
  • Username:
    info@medamanagement.com
  • Password:
    20@radihX21@Meda

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 4 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
  • Drops file in Drivers directory 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\COPY OF N-N.exe
    "C:\Users\Admin\AppData\Local\Temp\COPY OF N-N.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YBHvzdfGpm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B4B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2332
    • C:\Users\Admin\AppData\Local\Temp\COPY OF N-N.exe
      "{path}"
      2⤵
        PID:3928
      • C:\Users\Admin\AppData\Local\Temp\COPY OF N-N.exe
        "{path}"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3872

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Collection

    Data from Local System

    3
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COPY OF N-N.exe.log
      MD5

      12557ab909651a6f99d3503d614d3562

      SHA1

      b86745768059a514bea3a438e1e96086af463246

      SHA256

      9589c869703e95d40d5870c60f66d8460f7914e9fe8dd579533c84148112babd

      SHA512

      10cdb2fa7cf054af937b4aeddfe16fe755d6b09db5a51f7052adbf472b4b435e16c141f3712762f3b67f990c3efcfa47659576988e321214c747d6cd98e75521

    • C:\Users\Admin\AppData\Local\Temp\tmp9B4B.tmp
      MD5

      1f10cd1e2d3263374c42d10a9a57f064

      SHA1

      fd4786ae917fc60910a0d95fb98da3204152ead7

      SHA256

      73917f96e566f51844eb74a29a6ffed5e6686e38f37c373f16158d127ddb3de5

      SHA512

      c123cee666c407cb465e9d5869644518d35e920773b2256b4e058b8bb67d7974d77feee705c834d96a5cbf0d3508b4004223df6614c7d6a6cd6d8ef2be42f25b

    • memory/2332-125-0x0000000000000000-mapping.dmp
    • memory/3872-139-0x00000000052F0000-0x00000000057EE000-memory.dmp
      Filesize

      5.0MB

    • memory/3872-135-0x0000000005430000-0x0000000005431000-memory.dmp
      Filesize

      4KB

    • memory/3872-134-0x00000000052F0000-0x00000000057EE000-memory.dmp
      Filesize

      5.0MB

    • memory/3872-128-0x000000000043761E-mapping.dmp
    • memory/3872-127-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

    • memory/3904-119-0x00000000077E0000-0x0000000007CDE000-memory.dmp
      Filesize

      5.0MB

    • memory/3904-124-0x0000000005EF0000-0x0000000005EF1000-memory.dmp
      Filesize

      4KB

    • memory/3904-123-0x0000000005E10000-0x0000000005E68000-memory.dmp
      Filesize

      352KB

    • memory/3904-122-0x00000000057A0000-0x0000000005832000-memory.dmp
      Filesize

      584KB

    • memory/3904-121-0x0000000004DD0000-0x0000000004DDE000-memory.dmp
      Filesize

      56KB

    • memory/3904-120-0x0000000009880000-0x0000000009881000-memory.dmp
      Filesize

      4KB

    • memory/3904-114-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
      Filesize

      4KB

    • memory/3904-118-0x00000000079F0000-0x00000000079F1000-memory.dmp
      Filesize

      4KB

    • memory/3904-117-0x0000000007880000-0x0000000007881000-memory.dmp
      Filesize

      4KB

    • memory/3904-116-0x0000000007CE0000-0x0000000007CE1000-memory.dmp
      Filesize

      4KB