Analysis

  • max time kernel
    120s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-07-2021 20:03

General

  • Target

    #$$$!1weF5(1).exe

  • Size

    662KB

  • MD5

    65c520abdacd8aacdb7f93ed7b00d716

  • SHA1

    c5ca68ab7ce2e46e0b924acb0365af5f4935847d

  • SHA256

    b47c11b0e48a16e4e1d861dcb524bf3bcabfe1481853b7d94fb738f635d1d5aa

  • SHA512

    f369b973656103610c08a054ae50a3ddcccc9aa64acfc9fec9d6e06b5f6cd3d5e3ca2d7b62eda5838452efd0bed8f25f8a9cb9fe430c9ec39749181e24be93ed

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe
    "C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:3396
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:2860
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:1220
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:1432
    • C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe
      C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe
      2⤵
        PID:4064
      • C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe
        C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe
        2⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2588

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Collection

    Data from Local System

    3
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#$$$!1weF5(1).exe.log
      MD5

      9e7845217df4a635ec4341c3d52ed685

      SHA1

      d65cb39d37392975b038ce503a585adadb805da5

      SHA256

      d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

      SHA512

      307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      0f5cbdca905beb13bebdcf43fb0716bd

      SHA1

      9e136131389fde83297267faf6c651d420671b3f

      SHA256

      a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

      SHA512

      a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      b38eb33569647ea259e99c51fc58b35d

      SHA1

      50e84422f1458df23e46f9fa9ea0df6ec2f267c6

      SHA256

      41a0ce92291a285f35c86e2a59b09068868788349f665fc781ced8275f95df0c

      SHA512

      5fb51562a34a553d706c10187d46fdd389b46b48cc9c760cfad4d4210f16beab0db17621bc0fcade4f97c64a8d8af3e87172c6fd650f62f70b1f16575d7f6cd4

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      b38eb33569647ea259e99c51fc58b35d

      SHA1

      50e84422f1458df23e46f9fa9ea0df6ec2f267c6

      SHA256

      41a0ce92291a285f35c86e2a59b09068868788349f665fc781ced8275f95df0c

      SHA512

      5fb51562a34a553d706c10187d46fdd389b46b48cc9c760cfad4d4210f16beab0db17621bc0fcade4f97c64a8d8af3e87172c6fd650f62f70b1f16575d7f6cd4

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      0474b226c5dbfff8952a30b5e130bab2

      SHA1

      d93c94c9cf2dc02d4d01cb5ba001e8873abf646e

      SHA256

      89ab5647ff504006d890c77d915950a2f8654c5cd05b545c21ae1c19e219df21

      SHA512

      7d7446c94a6b68b86eca4c27ea9433eab3f06c2447727010e8dac99f91b44165465488336067a50aaad08b212e56bd85cd9c8576e301c10e274fd8f5d7373e79

    • memory/900-117-0x0000000005A30000-0x0000000005A31000-memory.dmp
      Filesize

      4KB

    • memory/900-119-0x0000000005930000-0x00000000059C2000-memory.dmp
      Filesize

      584KB

    • memory/900-199-0x0000000009A60000-0x0000000009ACB000-memory.dmp
      Filesize

      428KB

    • memory/900-194-0x00000000074A0000-0x00000000074F5000-memory.dmp
      Filesize

      340KB

    • memory/900-114-0x0000000000F90000-0x0000000000F91000-memory.dmp
      Filesize

      4KB

    • memory/900-116-0x0000000005F30000-0x0000000005F31000-memory.dmp
      Filesize

      4KB

    • memory/900-120-0x0000000005930000-0x00000000059C2000-memory.dmp
      Filesize

      584KB

    • memory/900-118-0x00000000059B0000-0x00000000059B1000-memory.dmp
      Filesize

      4KB

    • memory/1220-174-0x0000000000000000-mapping.dmp
    • memory/1432-193-0x0000000000000000-mapping.dmp
    • memory/1872-165-0x00000000073F3000-0x00000000073F4000-memory.dmp
      Filesize

      4KB

    • memory/1872-166-0x00000000073F4000-0x00000000073F6000-memory.dmp
      Filesize

      8KB

    • memory/1872-144-0x00000000073F0000-0x00000000073F1000-memory.dmp
      Filesize

      4KB

    • memory/1872-145-0x00000000073F2000-0x00000000073F3000-memory.dmp
      Filesize

      4KB

    • memory/1872-136-0x0000000000000000-mapping.dmp
    • memory/2212-153-0x0000000005074000-0x0000000005076000-memory.dmp
      Filesize

      8KB

    • memory/2212-124-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
      Filesize

      4KB

    • memory/2212-121-0x0000000000000000-mapping.dmp
    • memory/2212-134-0x0000000008AE0000-0x0000000008AE1000-memory.dmp
      Filesize

      4KB

    • memory/2212-152-0x0000000005073000-0x0000000005074000-memory.dmp
      Filesize

      4KB

    • memory/2212-133-0x0000000008D20000-0x0000000008D21000-memory.dmp
      Filesize

      4KB

    • memory/2212-132-0x0000000008330000-0x0000000008331000-memory.dmp
      Filesize

      4KB

    • memory/2212-125-0x0000000007AE0000-0x0000000007AE1000-memory.dmp
      Filesize

      4KB

    • memory/2212-131-0x0000000008450000-0x0000000008451000-memory.dmp
      Filesize

      4KB

    • memory/2212-130-0x0000000008180000-0x0000000008181000-memory.dmp
      Filesize

      4KB

    • memory/2212-127-0x0000000005072000-0x0000000005073000-memory.dmp
      Filesize

      4KB

    • memory/2212-126-0x0000000005070000-0x0000000005071000-memory.dmp
      Filesize

      4KB

    • memory/2212-129-0x0000000008360000-0x0000000008361000-memory.dmp
      Filesize

      4KB

    • memory/2212-128-0x0000000007A60000-0x0000000007A61000-memory.dmp
      Filesize

      4KB

    • memory/2588-211-0x0000000005B70000-0x0000000005B71000-memory.dmp
      Filesize

      4KB

    • memory/2588-207-0x0000000005640000-0x0000000005641000-memory.dmp
      Filesize

      4KB

    • memory/2588-206-0x00000000057D0000-0x00000000057D1000-memory.dmp
      Filesize

      4KB

    • memory/2588-200-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

    • memory/2588-201-0x000000000043773E-mapping.dmp
    • memory/2860-151-0x0000000000000000-mapping.dmp
    • memory/2864-184-0x0000000006EE3000-0x0000000006EE4000-memory.dmp
      Filesize

      4KB

    • memory/2864-185-0x0000000006EE4000-0x0000000006EE6000-memory.dmp
      Filesize

      8KB

    • memory/2864-169-0x0000000006EE2000-0x0000000006EE3000-memory.dmp
      Filesize

      4KB

    • memory/2864-168-0x0000000006EE0000-0x0000000006EE1000-memory.dmp
      Filesize

      4KB

    • memory/2864-157-0x0000000000000000-mapping.dmp
    • memory/3396-135-0x0000000000000000-mapping.dmp
    • memory/4076-176-0x0000000000000000-mapping.dmp
    • memory/4076-188-0x0000000006C82000-0x0000000006C83000-memory.dmp
      Filesize

      4KB

    • memory/4076-210-0x0000000006C84000-0x0000000006C86000-memory.dmp
      Filesize

      8KB

    • memory/4076-209-0x0000000006C83000-0x0000000006C84000-memory.dmp
      Filesize

      4KB

    • memory/4076-187-0x0000000006C80000-0x0000000006C81000-memory.dmp
      Filesize

      4KB