Analysis
-
max time kernel
124s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-05-2021 12:55
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT COPY.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PAYMENT COPY.exe
Resource
win10v20210408
General
-
Target
PAYMENT COPY.exe
-
Size
911KB
-
MD5
497fdb0a1fa8970ac4e81aa66278b6ed
-
SHA1
5bacbe7521f6d6de1a7efc85d92fddf7fd358b21
-
SHA256
c70bf2aeaa6b9f644dadc0617debe3ec20671adc1e2ee8c60a8a932bf99e3c63
-
SHA512
b52fccf2ff91ae3a4ed7d87ba14ba715a8780e7004e632995949757fc3f414312f12c1c141d5033c3764cfcbd6955644514ff1961813fe5551cace35cdfa66f1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dadabhoy.edu.pk - Port:
587 - Username:
ghulam.sarwar@dadabhoy.edu.pk - Password:
Dadabhoy.456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1944-117-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/1944-118-0x000000000043754E-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENT COPY.exedescription pid process target process PID 640 set thread context of 1944 640 PAYMENT COPY.exe PAYMENT COPY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
PAYMENT COPY.exePAYMENT COPY.exepid process 640 PAYMENT COPY.exe 640 PAYMENT COPY.exe 640 PAYMENT COPY.exe 1944 PAYMENT COPY.exe 1944 PAYMENT COPY.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PAYMENT COPY.exePAYMENT COPY.exedescription pid process Token: SeDebugPrivilege 640 PAYMENT COPY.exe Token: SeDebugPrivilege 1944 PAYMENT COPY.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PAYMENT COPY.exedescription pid process target process PID 640 wrote to memory of 3828 640 PAYMENT COPY.exe schtasks.exe PID 640 wrote to memory of 3828 640 PAYMENT COPY.exe schtasks.exe PID 640 wrote to memory of 3828 640 PAYMENT COPY.exe schtasks.exe PID 640 wrote to memory of 1020 640 PAYMENT COPY.exe PAYMENT COPY.exe PID 640 wrote to memory of 1020 640 PAYMENT COPY.exe PAYMENT COPY.exe PID 640 wrote to memory of 1020 640 PAYMENT COPY.exe PAYMENT COPY.exe PID 640 wrote to memory of 1944 640 PAYMENT COPY.exe PAYMENT COPY.exe PID 640 wrote to memory of 1944 640 PAYMENT COPY.exe PAYMENT COPY.exe PID 640 wrote to memory of 1944 640 PAYMENT COPY.exe PAYMENT COPY.exe PID 640 wrote to memory of 1944 640 PAYMENT COPY.exe PAYMENT COPY.exe PID 640 wrote to memory of 1944 640 PAYMENT COPY.exe PAYMENT COPY.exe PID 640 wrote to memory of 1944 640 PAYMENT COPY.exe PAYMENT COPY.exe PID 640 wrote to memory of 1944 640 PAYMENT COPY.exe PAYMENT COPY.exe PID 640 wrote to memory of 1944 640 PAYMENT COPY.exe PAYMENT COPY.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XJjZTrL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp417A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PAYMENT COPY.exe.logMD5
5e7bb97636a484b5a87e60373614279a
SHA136bfdec32eedb141a4a106d89a453326f62593ee
SHA25612ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20
SHA512448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56
-
C:\Users\Admin\AppData\Local\Temp\tmp417A.tmpMD5
5ec0d09fb55c167b7fec5b30ccac17e6
SHA150136f896cc6b7882a68c09ce424350dbf7ab245
SHA256b905c0723cfe3680d8f4275b2befa81289268884f61efac46b79beb56401f21f
SHA512cd1f8a6028c9c585197aa17988359be47a1ac4007dba8160148492964465a2fd52f79ee1b43ae63dd83e79de773b2aa6f09b398076417d198be89b442821d917
-
memory/640-114-0x0000000000900000-0x0000000000A4A000-memory.dmpFilesize
1.3MB
-
memory/1944-117-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1944-118-0x000000000043754E-mapping.dmp
-
memory/1944-120-0x0000000001180000-0x0000000001181000-memory.dmpFilesize
4KB
-
memory/1944-121-0x0000000001181000-0x0000000001182000-memory.dmpFilesize
4KB
-
memory/3828-115-0x0000000000000000-mapping.dmp