Analysis
-
max time kernel
65s -
max time network
64s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 13:48
Static task
static1
Behavioral task
behavioral1
Sample
ABSA POP.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ABSA POP.exe
Resource
win10v20210410
General
-
Target
ABSA POP.exe
-
Size
916KB
-
MD5
0266f5352db7db41d66942cb8fea548e
-
SHA1
94facfb7e00854ef5ebb5578f2931f97e1e3afbd
-
SHA256
9719ef0c13fb328372e4037db03bb12d16cc226e2a0a8c15e0622e2d610ff017
-
SHA512
3b21635a1a2c2bcb0190ce9885a2b35a6107686c0c875ead876f235675296d5fde2b9d227eb310722bd5384e52fa0cc961362b64ac168d451a62b7c83a95c716
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.foodurway.com.au - Port:
587 - Username:
[email protected] - Password:
Island@1981$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-64-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1796-65-0x00000000004379AE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ABSA POP.exedescription pid process target process PID 1616 set thread context of 1796 1616 ABSA POP.exe ABSA POP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ABSA POP.exeABSA POP.exepid process 1616 ABSA POP.exe 1796 ABSA POP.exe 1796 ABSA POP.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ABSA POP.exeABSA POP.exedescription pid process Token: SeDebugPrivilege 1616 ABSA POP.exe Token: SeDebugPrivilege 1796 ABSA POP.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ABSA POP.exeABSA POP.exedescription pid process target process PID 1616 wrote to memory of 1652 1616 ABSA POP.exe schtasks.exe PID 1616 wrote to memory of 1652 1616 ABSA POP.exe schtasks.exe PID 1616 wrote to memory of 1652 1616 ABSA POP.exe schtasks.exe PID 1616 wrote to memory of 1652 1616 ABSA POP.exe schtasks.exe PID 1616 wrote to memory of 1796 1616 ABSA POP.exe ABSA POP.exe PID 1616 wrote to memory of 1796 1616 ABSA POP.exe ABSA POP.exe PID 1616 wrote to memory of 1796 1616 ABSA POP.exe ABSA POP.exe PID 1616 wrote to memory of 1796 1616 ABSA POP.exe ABSA POP.exe PID 1616 wrote to memory of 1796 1616 ABSA POP.exe ABSA POP.exe PID 1616 wrote to memory of 1796 1616 ABSA POP.exe ABSA POP.exe PID 1616 wrote to memory of 1796 1616 ABSA POP.exe ABSA POP.exe PID 1616 wrote to memory of 1796 1616 ABSA POP.exe ABSA POP.exe PID 1616 wrote to memory of 1796 1616 ABSA POP.exe ABSA POP.exe PID 1796 wrote to memory of 1116 1796 ABSA POP.exe dw20.exe PID 1796 wrote to memory of 1116 1796 ABSA POP.exe dw20.exe PID 1796 wrote to memory of 1116 1796 ABSA POP.exe dw20.exe PID 1796 wrote to memory of 1116 1796 ABSA POP.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ABSA POP.exe"C:\Users\Admin\AppData\Local\Temp\ABSA POP.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hehlHeKOkmmW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF23.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ABSA POP.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5203⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAF23.tmpMD5
b21b27c86fef0edb9d3e0a5f5319c552
SHA1f46f8b21721246a0f87dcdd2dcccd908925178eb
SHA2564e474f33466c54444e4ad2a83d393b09ff7ff2ad2511346c1511c77cc431d180
SHA5129c64b0caeda775b0afaa786ce5c9bdd033921c0c3d6ac71a367541f912435fa0d7e93d953ec13436ee09c8708aa9fd347ba3643cd416d49fef3cbd8014473748
-
memory/1116-68-0x0000000000000000-mapping.dmp
-
memory/1116-70-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1616-59-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1616-60-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1616-61-0x00000000000F1000-0x00000000000F2000-memory.dmpFilesize
4KB
-
memory/1652-62-0x0000000000000000-mapping.dmp
-
memory/1796-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1796-65-0x00000000004379AE-mapping.dmp
-
memory/1796-67-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB