Analysis
-
max time kernel
299s -
max time network
302s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 09:29
Static task
static1
Behavioral task
behavioral1
Sample
z8WufQDmHPxb9FP.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
z8WufQDmHPxb9FP.exe
Resource
win10v20210410
General
-
Target
z8WufQDmHPxb9FP.exe
-
Size
653KB
-
MD5
bc7cbd5aae47693ebd6c19a9f6ae7976
-
SHA1
376072c8e8c2aadd66b772ffb6f2094254818eb4
-
SHA256
d4c6b6a00d510bba75da888a42569c72a43f2585b82b29e65298897d03285b76
-
SHA512
cb35a62642d870d4cb7d52472bdc491cdf1efc4e0f57b374c0d0bd8b76a922a4ea7e66aed13c79b9ba2354a082b5ec34a09416fd90b848b297b96ca113c1ed8b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
outback.websitewelcome.com - Port:
587 - Username:
procc@ogenexblog24.com - Password:
Thisyear2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3116-118-0x0000000000436BBE-mapping.dmp family_agenttesla behavioral2/memory/3116-117-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\file = "C:\\Users\\Admin\\AppData\\Roaming\\file\\file.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
z8WufQDmHPxb9FP.exedescription pid process target process PID 3876 set thread context of 3116 3876 z8WufQDmHPxb9FP.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
z8WufQDmHPxb9FP.exeMSBuild.exetaskmgr.exepid process 3876 z8WufQDmHPxb9FP.exe 3116 MSBuild.exe 3116 MSBuild.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
z8WufQDmHPxb9FP.exeMSBuild.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 3876 z8WufQDmHPxb9FP.exe Token: SeDebugPrivilege 3116 MSBuild.exe Token: SeDebugPrivilege 420 taskmgr.exe Token: SeSystemProfilePrivilege 420 taskmgr.exe Token: SeCreateGlobalPrivilege 420 taskmgr.exe Token: 33 420 taskmgr.exe Token: SeIncBasePriorityPrivilege 420 taskmgr.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
taskmgr.exepid process 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe -
Suspicious use of SendNotifyMessage 56 IoCs
Processes:
taskmgr.exepid process 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 3116 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
z8WufQDmHPxb9FP.exedescription pid process target process PID 3876 wrote to memory of 3896 3876 z8WufQDmHPxb9FP.exe schtasks.exe PID 3876 wrote to memory of 3896 3876 z8WufQDmHPxb9FP.exe schtasks.exe PID 3876 wrote to memory of 3896 3876 z8WufQDmHPxb9FP.exe schtasks.exe PID 3876 wrote to memory of 3116 3876 z8WufQDmHPxb9FP.exe MSBuild.exe PID 3876 wrote to memory of 3116 3876 z8WufQDmHPxb9FP.exe MSBuild.exe PID 3876 wrote to memory of 3116 3876 z8WufQDmHPxb9FP.exe MSBuild.exe PID 3876 wrote to memory of 3116 3876 z8WufQDmHPxb9FP.exe MSBuild.exe PID 3876 wrote to memory of 3116 3876 z8WufQDmHPxb9FP.exe MSBuild.exe PID 3876 wrote to memory of 3116 3876 z8WufQDmHPxb9FP.exe MSBuild.exe PID 3876 wrote to memory of 3116 3876 z8WufQDmHPxb9FP.exe MSBuild.exe PID 3876 wrote to memory of 3116 3876 z8WufQDmHPxb9FP.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\z8WufQDmHPxb9FP.exe"C:\Users\Admin\AppData\Local\Temp\z8WufQDmHPxb9FP.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FzvRCoQF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9ABF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9ABF.tmpMD5
0deec5b6bd70770beed61cf7dd143022
SHA1020cbb0a3cb8211003b301421e6beb4fef9dfc23
SHA2564956d0a2101b562ea930afe101e5ae84273296122cee0b01e60d9f1d6969da22
SHA5121059e4307c1ebd8338514a99059096c1dcd9af3c69096956ffae7236f42cc7b9c2d9d668369b9892a1a1d5f4dd991d20585f91a67d5f49e285fd31a686a91853
-
C:\Users\Admin\AppData\Roaming\file\file.exeMD5
00a06cc646455275580ca1750c8ec273
SHA17483eeb6d51cffe4f766cc1aeec88493dbc9446e
SHA256963205415dd5f89a03b1fde4f1cfe4be6eebe2d36697ea0981ffcdcdf24e6939
SHA5128255c66a9a30db5a21c42c915ea88287e18df4b8edbdbacd7b5e1ae9be5d5cc53fb7586e1e6282175a89365f9abcc3378d10845b3d1cc299d01cbfb368d99070
-
memory/3116-118-0x0000000000436BBE-mapping.dmp
-
memory/3116-117-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3116-119-0x0000000002B80000-0x0000000002B81000-memory.dmpFilesize
4KB
-
memory/3116-120-0x0000000002B81000-0x0000000002B82000-memory.dmpFilesize
4KB
-
memory/3876-114-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/3896-115-0x0000000000000000-mapping.dmp