Overview
overview
10Static
static
8Restore Me...03.exe
windows7_x64
10Restore Me...03.exe
windows10_x64
100601063634...9.xlsm
windows7_x64
100601063634...9.xlsm
windows10_x64
100b19705689...ff.exe
windows7_x64
100b19705689...ff.exe
windows10_x64
100f5f5f5134...5b.exe
windows7_x64
100f5f5f5134...5b.exe
windows10_x64
10188bcacd74...6f.exe
windows7_x64
10188bcacd74...6f.exe
windows10_x64
101c2e4fc620...78.jar
windows7_x64
31c2e4fc620...78.jar
windows10_x64
31e39513b16...f8.exe
windows7_x64
61e39513b16...f8.exe
windows10_x64
6TT COPY.exe
windows7_x64
10TT COPY.exe
windows10_x64
1029e897846d...951d9c
linux_amd64
29e897846d...951d9c
linux_mipsel
29e897846d...951d9c
linux_mips
31c031a7f6...21.exe
windows7_x64
1031c031a7f6...21.exe
windows10_x64
10476b568daf...92.exe
windows7_x64
10476b568daf...92.exe
windows10_x64
104975909b70...64.doc
windows7_x64
14975909b70...64.doc
windows10_x64
14c0c8cbb0e...fe.exe
windows7_x64
104c0c8cbb0e...fe.exe
windows10_x64
108017a07f03...b3.xls
windows7_x64
108017a07f03...b3.xls
windows10_x64
108f23d20d11...8d.exe
windows7_x64
108f23d20d11...8d.exe
windows10_x64
1090f026ae86...37.exe
windows7_x64
10Analysis
-
max time kernel
126s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-07-2021 14:18
Static task
static1
Behavioral task
behavioral1
Sample
Restore Messages003.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Restore Messages003.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
060106363494814da48982a85e4c66f5d52e84a537dbb4acbc55067301d88679.xlsm
Resource
win7v20210408
Behavioral task
behavioral4
Sample
060106363494814da48982a85e4c66f5d52e84a537dbb4acbc55067301d88679.xlsm
Resource
win10v20210410
Behavioral task
behavioral5
Sample
0b1970568987b6e2a949dde9d4e249d704cbfaf622c80741db02dd711838abff.exe
Resource
win7v20210408
Behavioral task
behavioral6
Sample
0b1970568987b6e2a949dde9d4e249d704cbfaf622c80741db02dd711838abff.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
0f5f5f5134295164f769b3a5555c86ab37b94284a7fc61cd1bbbdd496b80c25b.exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
0f5f5f5134295164f769b3a5555c86ab37b94284a7fc61cd1bbbdd496b80c25b.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
188bcacd74aabebec45f6a24175295ed574de65516021c9f0739dff3e9666a6f.exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
188bcacd74aabebec45f6a24175295ed574de65516021c9f0739dff3e9666a6f.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
1c2e4fc620772752079b05cdd904aa18a3482066e3b6f11f5a798f6a278b9f78.jar
Resource
win7v20210410
Behavioral task
behavioral12
Sample
1c2e4fc620772752079b05cdd904aa18a3482066e3b6f11f5a798f6a278b9f78.jar
Resource
win10v20210408
Behavioral task
behavioral13
Sample
1e39513b16501c1ff55a8a9d4c7b4b27ad067f3063002541b74b43e547ca8bf8.exe
Resource
win7v20210410
Behavioral task
behavioral14
Sample
1e39513b16501c1ff55a8a9d4c7b4b27ad067f3063002541b74b43e547ca8bf8.exe
Resource
win10v20210408
Behavioral task
behavioral15
Sample
TT COPY.exe
Resource
win7v20210410
Behavioral task
behavioral16
Sample
TT COPY.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
29e897846dad42a2a15e6059927ed91f98a8ef5cf6fa13b2b08ef48b6e951d9c
Resource
ubuntu-amd64
Behavioral task
behavioral18
Sample
29e897846dad42a2a15e6059927ed91f98a8ef5cf6fa13b2b08ef48b6e951d9c
Resource
debian9-mipsel
Behavioral task
behavioral19
Sample
29e897846dad42a2a15e6059927ed91f98a8ef5cf6fa13b2b08ef48b6e951d9c
Resource
debian9-mipsbe
Behavioral task
behavioral20
Sample
31c031a7f6fb39ba50153376ee653388d606a8bc1268954460de5d37f91e4621.exe
Resource
win7v20210408
Behavioral task
behavioral21
Sample
31c031a7f6fb39ba50153376ee653388d606a8bc1268954460de5d37f91e4621.exe
Resource
win10v20210408
Behavioral task
behavioral22
Sample
476b568daffd903ccc4cde8c7f8d643eaba306fcad74e2f90dff37504bb11292.exe
Resource
win7v20210408
Behavioral task
behavioral23
Sample
476b568daffd903ccc4cde8c7f8d643eaba306fcad74e2f90dff37504bb11292.exe
Resource
win10v20210410
Behavioral task
behavioral24
Sample
4975909b70555a443f8acbb22ef17f932eed445bf52148043ca4a1cc10e43264.doc
Resource
win7v20210408
Behavioral task
behavioral25
Sample
4975909b70555a443f8acbb22ef17f932eed445bf52148043ca4a1cc10e43264.doc
Resource
win10v20210410
Behavioral task
behavioral26
Sample
4c0c8cbb0e933f865862852967071eb6908bca3c610d2b14a77149d756db00fe.exe
Resource
win7v20210410
Behavioral task
behavioral27
Sample
4c0c8cbb0e933f865862852967071eb6908bca3c610d2b14a77149d756db00fe.exe
Resource
win10v20210408
Behavioral task
behavioral28
Sample
8017a07f03965d9490f9cdbba68ff3a3580441ca0e76b140f1e4bb939c4073b3.xls
Resource
win7v20210410
Behavioral task
behavioral29
Sample
8017a07f03965d9490f9cdbba68ff3a3580441ca0e76b140f1e4bb939c4073b3.xls
Resource
win10v20210408
Behavioral task
behavioral30
Sample
8f23d20d11602a29f56c47a6efad0cffbd43a32c7fb4f2df5ebf4c5bace60d8d.exe
Resource
win7v20210410
Behavioral task
behavioral31
Sample
8f23d20d11602a29f56c47a6efad0cffbd43a32c7fb4f2df5ebf4c5bace60d8d.exe
Resource
win10v20210410
Behavioral task
behavioral32
Sample
90f026ae8692c2199e2a5e8ea618c93ff00fd5d07ac974191ca5f060c1f7c737.exe
Resource
win7v20210408
General
-
Target
TT COPY.exe
-
Size
837KB
-
MD5
ba13e04243a1c130a961577665e081cd
-
SHA1
dee255022621fe995ac13d6f236b6b82e612382a
-
SHA256
9613a9091f407470785d30cda2e384ae38fef3b2ad693ee00f2c65f59aada2c0
-
SHA512
682f3ad0c13fd4234a38791279f51ba1047c0b358de2fdb6fa658facc19bdbe9d8b2091458c65f92250588975883013dcbbf21f836bf54a6226f53f0e4678c12
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.saitools.com - Port:
587 - Username:
qamanager@saitools.com - Password:
ecotanksystems$0912
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral16/memory/3308-124-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral16/memory/3308-125-0x000000000043761E-mapping.dmp family_agenttesla behavioral16/memory/3308-130-0x00000000053D0000-0x00000000058CE000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TT COPY.exedescription pid process target process PID 3680 set thread context of 3308 3680 TT COPY.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
TT COPY.exeRegSvcs.exepid process 3680 TT COPY.exe 3680 TT COPY.exe 3680 TT COPY.exe 3308 RegSvcs.exe 3308 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TT COPY.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3680 TT COPY.exe Token: SeDebugPrivilege 3308 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3308 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
TT COPY.exedescription pid process target process PID 3680 wrote to memory of 3968 3680 TT COPY.exe RegSvcs.exe PID 3680 wrote to memory of 3968 3680 TT COPY.exe RegSvcs.exe PID 3680 wrote to memory of 3968 3680 TT COPY.exe RegSvcs.exe PID 3680 wrote to memory of 3308 3680 TT COPY.exe RegSvcs.exe PID 3680 wrote to memory of 3308 3680 TT COPY.exe RegSvcs.exe PID 3680 wrote to memory of 3308 3680 TT COPY.exe RegSvcs.exe PID 3680 wrote to memory of 3308 3680 TT COPY.exe RegSvcs.exe PID 3680 wrote to memory of 3308 3680 TT COPY.exe RegSvcs.exe PID 3680 wrote to memory of 3308 3680 TT COPY.exe RegSvcs.exe PID 3680 wrote to memory of 3308 3680 TT COPY.exe RegSvcs.exe PID 3680 wrote to memory of 3308 3680 TT COPY.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT COPY.exe"C:\Users\Admin\AppData\Local\Temp\TT COPY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3308-124-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3308-132-0x0000000006230000-0x0000000006231000-memory.dmpFilesize
4KB
-
memory/3308-131-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/3308-130-0x00000000053D0000-0x00000000058CE000-memory.dmpFilesize
5.0MB
-
memory/3308-125-0x000000000043761E-mapping.dmp
-
memory/3680-118-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/3680-121-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/3680-122-0x0000000006810000-0x00000000068A8000-memory.dmpFilesize
608KB
-
memory/3680-123-0x0000000006E10000-0x0000000006E67000-memory.dmpFilesize
348KB
-
memory/3680-120-0x0000000006E70000-0x0000000006E71000-memory.dmpFilesize
4KB
-
memory/3680-119-0x0000000004DC0000-0x0000000004DC2000-memory.dmpFilesize
8KB
-
memory/3680-114-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/3680-117-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/3680-116-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB