Analysis
-
max time kernel
128s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-05-2021 14:03
Static task
static1
Behavioral task
behavioral1
Sample
ABSA POP.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ABSA POP.exe
Resource
win10v20210410
General
-
Target
ABSA POP.exe
-
Size
916KB
-
MD5
0266f5352db7db41d66942cb8fea548e
-
SHA1
94facfb7e00854ef5ebb5578f2931f97e1e3afbd
-
SHA256
9719ef0c13fb328372e4037db03bb12d16cc226e2a0a8c15e0622e2d610ff017
-
SHA512
3b21635a1a2c2bcb0190ce9885a2b35a6107686c0c875ead876f235675296d5fde2b9d227eb310722bd5384e52fa0cc961362b64ac168d451a62b7c83a95c716
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.foodurway.com.au - Port:
587 - Username:
admin@foodurway.com.au - Password:
Island@1981$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3792-117-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3792-118-0x00000000004379AE-mapping.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
ABSA POP.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ABSA POP.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ABSA POP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" ABSA POP.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ABSA POP.exedescription pid process target process PID 3872 set thread context of 3792 3872 ABSA POP.exe ABSA POP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ABSA POP.exeABSA POP.exepid process 3872 ABSA POP.exe 3792 ABSA POP.exe 3792 ABSA POP.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ABSA POP.exeABSA POP.exedescription pid process Token: SeDebugPrivilege 3872 ABSA POP.exe Token: SeDebugPrivilege 3792 ABSA POP.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ABSA POP.exepid process 3792 ABSA POP.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ABSA POP.exedescription pid process target process PID 3872 wrote to memory of 3580 3872 ABSA POP.exe schtasks.exe PID 3872 wrote to memory of 3580 3872 ABSA POP.exe schtasks.exe PID 3872 wrote to memory of 3580 3872 ABSA POP.exe schtasks.exe PID 3872 wrote to memory of 3792 3872 ABSA POP.exe ABSA POP.exe PID 3872 wrote to memory of 3792 3872 ABSA POP.exe ABSA POP.exe PID 3872 wrote to memory of 3792 3872 ABSA POP.exe ABSA POP.exe PID 3872 wrote to memory of 3792 3872 ABSA POP.exe ABSA POP.exe PID 3872 wrote to memory of 3792 3872 ABSA POP.exe ABSA POP.exe PID 3872 wrote to memory of 3792 3872 ABSA POP.exe ABSA POP.exe PID 3872 wrote to memory of 3792 3872 ABSA POP.exe ABSA POP.exe PID 3872 wrote to memory of 3792 3872 ABSA POP.exe ABSA POP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ABSA POP.exe"C:\Users\Admin\AppData\Local\Temp\ABSA POP.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hehlHeKOkmmW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80FD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ABSA POP.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ABSA POP.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
C:\Users\Admin\AppData\Local\Temp\tmp80FD.tmpMD5
647c4f0cce0ed848f62d2c7c1abcc8b5
SHA1ada6cfa9727c5c47b8b32560c8f3c5db75126889
SHA2568b1a517342830245443b6143741d16f103424891dd8215c5e8579d59f15a081a
SHA512f7961abc655de3b0b81c4f89300033cfbdd621183ef9d08be2e2ba7a95c998fe9e59efbd49ee2fded11888cdd9eee09a9360f3e74e554a89dfd0fbe9bb741b92
-
memory/3580-115-0x0000000000000000-mapping.dmp
-
memory/3792-117-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3792-118-0x00000000004379AE-mapping.dmp
-
memory/3792-120-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB
-
memory/3792-121-0x0000000002991000-0x0000000002992000-memory.dmpFilesize
4KB
-
memory/3792-122-0x0000000002992000-0x0000000002993000-memory.dmpFilesize
4KB
-
memory/3872-114-0x0000000003050000-0x0000000003051000-memory.dmpFilesize
4KB