Analysis
-
max time kernel
125s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-05-2021 07:47
Static task
static1
Behavioral task
behavioral1
Sample
COPY OF N-N.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
COPY OF N-N.exe
Resource
win10v20210410
General
-
Target
COPY OF N-N.exe
-
Size
725KB
-
MD5
e835f5a976ab1d8dd4e4e10813dd2a67
-
SHA1
68d789fcc36fdd8eb5cbb5b58c55cb1d48174c24
-
SHA256
c1269286a5b767fbd0b90c97cc06279b08ed094069932c8d17acc4c3144a218b
-
SHA512
269eac258dd1b830f165b253be7cd533f6a99266fcec1e0c4367eb84098cea0c66bd1b40b0788e57de97e2c387240948d2145abb83230bce1b719360831d080b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.medamanagement.com - Port:
587 - Username:
info@medamanagement.com - Password:
20@radihX21@Meda
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3872-127-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3872-128-0x000000000043761E-mapping.dmp family_agenttesla behavioral2/memory/3872-134-0x00000000052F0000-0x00000000057EE000-memory.dmp family_agenttesla behavioral2/memory/3872-139-0x00000000052F0000-0x00000000057EE000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
COPY OF N-N.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts COPY OF N-N.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
COPY OF N-N.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion COPY OF N-N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion COPY OF N-N.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
COPY OF N-N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" COPY OF N-N.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
COPY OF N-N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum COPY OF N-N.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 COPY OF N-N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
COPY OF N-N.exedescription pid process target process PID 3904 set thread context of 3872 3904 COPY OF N-N.exe COPY OF N-N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
COPY OF N-N.exeCOPY OF N-N.exepid process 3904 COPY OF N-N.exe 3904 COPY OF N-N.exe 3904 COPY OF N-N.exe 3872 COPY OF N-N.exe 3872 COPY OF N-N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
COPY OF N-N.exeCOPY OF N-N.exedescription pid process Token: SeDebugPrivilege 3904 COPY OF N-N.exe Token: SeDebugPrivilege 3872 COPY OF N-N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
COPY OF N-N.exepid process 3872 COPY OF N-N.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
COPY OF N-N.exedescription pid process target process PID 3904 wrote to memory of 2332 3904 COPY OF N-N.exe schtasks.exe PID 3904 wrote to memory of 2332 3904 COPY OF N-N.exe schtasks.exe PID 3904 wrote to memory of 2332 3904 COPY OF N-N.exe schtasks.exe PID 3904 wrote to memory of 3928 3904 COPY OF N-N.exe COPY OF N-N.exe PID 3904 wrote to memory of 3928 3904 COPY OF N-N.exe COPY OF N-N.exe PID 3904 wrote to memory of 3928 3904 COPY OF N-N.exe COPY OF N-N.exe PID 3904 wrote to memory of 3872 3904 COPY OF N-N.exe COPY OF N-N.exe PID 3904 wrote to memory of 3872 3904 COPY OF N-N.exe COPY OF N-N.exe PID 3904 wrote to memory of 3872 3904 COPY OF N-N.exe COPY OF N-N.exe PID 3904 wrote to memory of 3872 3904 COPY OF N-N.exe COPY OF N-N.exe PID 3904 wrote to memory of 3872 3904 COPY OF N-N.exe COPY OF N-N.exe PID 3904 wrote to memory of 3872 3904 COPY OF N-N.exe COPY OF N-N.exe PID 3904 wrote to memory of 3872 3904 COPY OF N-N.exe COPY OF N-N.exe PID 3904 wrote to memory of 3872 3904 COPY OF N-N.exe COPY OF N-N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\COPY OF N-N.exe"C:\Users\Admin\AppData\Local\Temp\COPY OF N-N.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YBHvzdfGpm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B4B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\COPY OF N-N.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\COPY OF N-N.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COPY OF N-N.exe.logMD5
12557ab909651a6f99d3503d614d3562
SHA1b86745768059a514bea3a438e1e96086af463246
SHA2569589c869703e95d40d5870c60f66d8460f7914e9fe8dd579533c84148112babd
SHA51210cdb2fa7cf054af937b4aeddfe16fe755d6b09db5a51f7052adbf472b4b435e16c141f3712762f3b67f990c3efcfa47659576988e321214c747d6cd98e75521
-
C:\Users\Admin\AppData\Local\Temp\tmp9B4B.tmpMD5
1f10cd1e2d3263374c42d10a9a57f064
SHA1fd4786ae917fc60910a0d95fb98da3204152ead7
SHA25673917f96e566f51844eb74a29a6ffed5e6686e38f37c373f16158d127ddb3de5
SHA512c123cee666c407cb465e9d5869644518d35e920773b2256b4e058b8bb67d7974d77feee705c834d96a5cbf0d3508b4004223df6614c7d6a6cd6d8ef2be42f25b
-
memory/2332-125-0x0000000000000000-mapping.dmp
-
memory/3872-139-0x00000000052F0000-0x00000000057EE000-memory.dmpFilesize
5.0MB
-
memory/3872-135-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/3872-134-0x00000000052F0000-0x00000000057EE000-memory.dmpFilesize
5.0MB
-
memory/3872-128-0x000000000043761E-mapping.dmp
-
memory/3872-127-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3904-119-0x00000000077E0000-0x0000000007CDE000-memory.dmpFilesize
5.0MB
-
memory/3904-124-0x0000000005EF0000-0x0000000005EF1000-memory.dmpFilesize
4KB
-
memory/3904-123-0x0000000005E10000-0x0000000005E68000-memory.dmpFilesize
352KB
-
memory/3904-122-0x00000000057A0000-0x0000000005832000-memory.dmpFilesize
584KB
-
memory/3904-121-0x0000000004DD0000-0x0000000004DDE000-memory.dmpFilesize
56KB
-
memory/3904-120-0x0000000009880000-0x0000000009881000-memory.dmpFilesize
4KB
-
memory/3904-114-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/3904-118-0x00000000079F0000-0x00000000079F1000-memory.dmpFilesize
4KB
-
memory/3904-117-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/3904-116-0x0000000007CE0000-0x0000000007CE1000-memory.dmpFilesize
4KB