Analysis
-
max time kernel
117s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-05-2021 12:55
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT COPY.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PAYMENT COPY.exe
Resource
win10v20210408
General
-
Target
PAYMENT COPY.exe
-
Size
911KB
-
MD5
497fdb0a1fa8970ac4e81aa66278b6ed
-
SHA1
5bacbe7521f6d6de1a7efc85d92fddf7fd358b21
-
SHA256
c70bf2aeaa6b9f644dadc0617debe3ec20671adc1e2ee8c60a8a932bf99e3c63
-
SHA512
b52fccf2ff91ae3a4ed7d87ba14ba715a8780e7004e632995949757fc3f414312f12c1c141d5033c3764cfcbd6955644514ff1961813fe5551cace35cdfa66f1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dadabhoy.edu.pk - Port:
587 - Username:
ghulam.sarwar@dadabhoy.edu.pk - Password:
Dadabhoy.456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1096-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1096-66-0x000000000043754E-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENT COPY.exedescription pid process target process PID 1988 set thread context of 1096 1988 PAYMENT COPY.exe PAYMENT COPY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PAYMENT COPY.exepid process 1096 PAYMENT COPY.exe 1096 PAYMENT COPY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PAYMENT COPY.exedescription pid process Token: SeDebugPrivilege 1096 PAYMENT COPY.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PAYMENT COPY.exePAYMENT COPY.exedescription pid process target process PID 1988 wrote to memory of 368 1988 PAYMENT COPY.exe schtasks.exe PID 1988 wrote to memory of 368 1988 PAYMENT COPY.exe schtasks.exe PID 1988 wrote to memory of 368 1988 PAYMENT COPY.exe schtasks.exe PID 1988 wrote to memory of 368 1988 PAYMENT COPY.exe schtasks.exe PID 1988 wrote to memory of 1096 1988 PAYMENT COPY.exe PAYMENT COPY.exe PID 1988 wrote to memory of 1096 1988 PAYMENT COPY.exe PAYMENT COPY.exe PID 1988 wrote to memory of 1096 1988 PAYMENT COPY.exe PAYMENT COPY.exe PID 1988 wrote to memory of 1096 1988 PAYMENT COPY.exe PAYMENT COPY.exe PID 1988 wrote to memory of 1096 1988 PAYMENT COPY.exe PAYMENT COPY.exe PID 1988 wrote to memory of 1096 1988 PAYMENT COPY.exe PAYMENT COPY.exe PID 1988 wrote to memory of 1096 1988 PAYMENT COPY.exe PAYMENT COPY.exe PID 1988 wrote to memory of 1096 1988 PAYMENT COPY.exe PAYMENT COPY.exe PID 1988 wrote to memory of 1096 1988 PAYMENT COPY.exe PAYMENT COPY.exe PID 1096 wrote to memory of 1836 1096 PAYMENT COPY.exe dw20.exe PID 1096 wrote to memory of 1836 1096 PAYMENT COPY.exe dw20.exe PID 1096 wrote to memory of 1836 1096 PAYMENT COPY.exe dw20.exe PID 1096 wrote to memory of 1836 1096 PAYMENT COPY.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XJjZTrL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC1A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5203⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFC1A.tmpMD5
f8280530a1b6d8516ec524042aff6f97
SHA100a241efa4d7b08c23a284787d85926fed2c22cc
SHA256880b1cf890eeba78b5b298194fb2634f6fc616a70a74c11b4e1c88c537b84b19
SHA5125144c9e05384e1b62ff1f2bb8811ddb9931c125390466cfd6a219af18b54fd8571f7f2bb6fbfcd81f0aeda86369e55f5599d8aa05b12f9fed573007955a4699d
-
memory/368-63-0x0000000000000000-mapping.dmp
-
memory/1096-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1096-66-0x000000000043754E-mapping.dmp
-
memory/1096-68-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/1836-69-0x0000000000000000-mapping.dmp
-
memory/1836-71-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/1988-60-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1988-61-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/1988-62-0x00000000004C1000-0x00000000004C2000-memory.dmpFilesize
4KB