Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 20:03
Static task
static1
Behavioral task
behavioral1
Sample
#$$$!1weF5(1).exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
#$$$!1weF5(1).exe
Resource
win10v20210408
General
-
Target
#$$$!1weF5(1).exe
-
Size
662KB
-
MD5
65c520abdacd8aacdb7f93ed7b00d716
-
SHA1
c5ca68ab7ce2e46e0b924acb0365af5f4935847d
-
SHA256
b47c11b0e48a16e4e1d861dcb524bf3bcabfe1481853b7d94fb738f635d1d5aa
-
SHA512
f369b973656103610c08a054ae50a3ddcccc9aa64acfc9fec9d6e06b5f6cd3d5e3ca2d7b62eda5838452efd0bed8f25f8a9cb9fe430c9ec39749181e24be93ed
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2588-200-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2588-201-0x000000000043773E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
#$$$!1weF5(1).exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\service.exe = "C:\\Users\\Admin\\AppData\\Roaming\\service.exe\\service.exe.exe" #$$$!1weF5(1).exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
#$$$!1weF5(1).exedescription pid process target process PID 900 set thread context of 2588 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 3396 PING.EXE 2860 PING.EXE 1220 PING.EXE 1432 PING.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe#$$$!1weF5(1).exe#$$$!1weF5(1).exepid process 2212 powershell.exe 2212 powershell.exe 2212 powershell.exe 1872 powershell.exe 1872 powershell.exe 1872 powershell.exe 2864 powershell.exe 2864 powershell.exe 2864 powershell.exe 4076 powershell.exe 4076 powershell.exe 4076 powershell.exe 900 #$$$!1weF5(1).exe 900 #$$$!1weF5(1).exe 900 #$$$!1weF5(1).exe 900 #$$$!1weF5(1).exe 900 #$$$!1weF5(1).exe 900 #$$$!1weF5(1).exe 2588 #$$$!1weF5(1).exe 2588 #$$$!1weF5(1).exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe#$$$!1weF5(1).exe#$$$!1weF5(1).exedescription pid process Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 1872 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 4076 powershell.exe Token: SeDebugPrivilege 900 #$$$!1weF5(1).exe Token: SeDebugPrivilege 2588 #$$$!1weF5(1).exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
#$$$!1weF5(1).exepid process 2588 #$$$!1weF5(1).exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
#$$$!1weF5(1).exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 900 wrote to memory of 2212 900 #$$$!1weF5(1).exe powershell.exe PID 900 wrote to memory of 2212 900 #$$$!1weF5(1).exe powershell.exe PID 900 wrote to memory of 2212 900 #$$$!1weF5(1).exe powershell.exe PID 2212 wrote to memory of 3396 2212 powershell.exe PING.EXE PID 2212 wrote to memory of 3396 2212 powershell.exe PING.EXE PID 2212 wrote to memory of 3396 2212 powershell.exe PING.EXE PID 900 wrote to memory of 1872 900 #$$$!1weF5(1).exe powershell.exe PID 900 wrote to memory of 1872 900 #$$$!1weF5(1).exe powershell.exe PID 900 wrote to memory of 1872 900 #$$$!1weF5(1).exe powershell.exe PID 1872 wrote to memory of 2860 1872 powershell.exe PING.EXE PID 1872 wrote to memory of 2860 1872 powershell.exe PING.EXE PID 1872 wrote to memory of 2860 1872 powershell.exe PING.EXE PID 900 wrote to memory of 2864 900 #$$$!1weF5(1).exe powershell.exe PID 900 wrote to memory of 2864 900 #$$$!1weF5(1).exe powershell.exe PID 900 wrote to memory of 2864 900 #$$$!1weF5(1).exe powershell.exe PID 2864 wrote to memory of 1220 2864 powershell.exe PING.EXE PID 2864 wrote to memory of 1220 2864 powershell.exe PING.EXE PID 2864 wrote to memory of 1220 2864 powershell.exe PING.EXE PID 900 wrote to memory of 4076 900 #$$$!1weF5(1).exe powershell.exe PID 900 wrote to memory of 4076 900 #$$$!1weF5(1).exe powershell.exe PID 900 wrote to memory of 4076 900 #$$$!1weF5(1).exe powershell.exe PID 4076 wrote to memory of 1432 4076 powershell.exe PING.EXE PID 4076 wrote to memory of 1432 4076 powershell.exe PING.EXE PID 4076 wrote to memory of 1432 4076 powershell.exe PING.EXE PID 900 wrote to memory of 4064 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 900 wrote to memory of 4064 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 900 wrote to memory of 4064 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 900 wrote to memory of 2588 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 900 wrote to memory of 2588 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 900 wrote to memory of 2588 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 900 wrote to memory of 2588 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 900 wrote to memory of 2588 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 900 wrote to memory of 2588 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 900 wrote to memory of 2588 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 900 wrote to memory of 2588 900 #$$$!1weF5(1).exe #$$$!1weF5(1).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe"C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exeC:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exeC:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#$$$!1weF5(1).exe.logMD5
9e7845217df4a635ec4341c3d52ed685
SHA1d65cb39d37392975b038ce503a585adadb805da5
SHA256d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b
SHA512307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
0f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b38eb33569647ea259e99c51fc58b35d
SHA150e84422f1458df23e46f9fa9ea0df6ec2f267c6
SHA25641a0ce92291a285f35c86e2a59b09068868788349f665fc781ced8275f95df0c
SHA5125fb51562a34a553d706c10187d46fdd389b46b48cc9c760cfad4d4210f16beab0db17621bc0fcade4f97c64a8d8af3e87172c6fd650f62f70b1f16575d7f6cd4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b38eb33569647ea259e99c51fc58b35d
SHA150e84422f1458df23e46f9fa9ea0df6ec2f267c6
SHA25641a0ce92291a285f35c86e2a59b09068868788349f665fc781ced8275f95df0c
SHA5125fb51562a34a553d706c10187d46fdd389b46b48cc9c760cfad4d4210f16beab0db17621bc0fcade4f97c64a8d8af3e87172c6fd650f62f70b1f16575d7f6cd4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0474b226c5dbfff8952a30b5e130bab2
SHA1d93c94c9cf2dc02d4d01cb5ba001e8873abf646e
SHA25689ab5647ff504006d890c77d915950a2f8654c5cd05b545c21ae1c19e219df21
SHA5127d7446c94a6b68b86eca4c27ea9433eab3f06c2447727010e8dac99f91b44165465488336067a50aaad08b212e56bd85cd9c8576e301c10e274fd8f5d7373e79
-
memory/900-117-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/900-119-0x0000000005930000-0x00000000059C2000-memory.dmpFilesize
584KB
-
memory/900-199-0x0000000009A60000-0x0000000009ACB000-memory.dmpFilesize
428KB
-
memory/900-194-0x00000000074A0000-0x00000000074F5000-memory.dmpFilesize
340KB
-
memory/900-114-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/900-116-0x0000000005F30000-0x0000000005F31000-memory.dmpFilesize
4KB
-
memory/900-120-0x0000000005930000-0x00000000059C2000-memory.dmpFilesize
584KB
-
memory/900-118-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/1220-174-0x0000000000000000-mapping.dmp
-
memory/1432-193-0x0000000000000000-mapping.dmp
-
memory/1872-165-0x00000000073F3000-0x00000000073F4000-memory.dmpFilesize
4KB
-
memory/1872-166-0x00000000073F4000-0x00000000073F6000-memory.dmpFilesize
8KB
-
memory/1872-144-0x00000000073F0000-0x00000000073F1000-memory.dmpFilesize
4KB
-
memory/1872-145-0x00000000073F2000-0x00000000073F3000-memory.dmpFilesize
4KB
-
memory/1872-136-0x0000000000000000-mapping.dmp
-
memory/2212-153-0x0000000005074000-0x0000000005076000-memory.dmpFilesize
8KB
-
memory/2212-124-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/2212-121-0x0000000000000000-mapping.dmp
-
memory/2212-134-0x0000000008AE0000-0x0000000008AE1000-memory.dmpFilesize
4KB
-
memory/2212-152-0x0000000005073000-0x0000000005074000-memory.dmpFilesize
4KB
-
memory/2212-133-0x0000000008D20000-0x0000000008D21000-memory.dmpFilesize
4KB
-
memory/2212-132-0x0000000008330000-0x0000000008331000-memory.dmpFilesize
4KB
-
memory/2212-125-0x0000000007AE0000-0x0000000007AE1000-memory.dmpFilesize
4KB
-
memory/2212-131-0x0000000008450000-0x0000000008451000-memory.dmpFilesize
4KB
-
memory/2212-130-0x0000000008180000-0x0000000008181000-memory.dmpFilesize
4KB
-
memory/2212-127-0x0000000005072000-0x0000000005073000-memory.dmpFilesize
4KB
-
memory/2212-126-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/2212-129-0x0000000008360000-0x0000000008361000-memory.dmpFilesize
4KB
-
memory/2212-128-0x0000000007A60000-0x0000000007A61000-memory.dmpFilesize
4KB
-
memory/2588-211-0x0000000005B70000-0x0000000005B71000-memory.dmpFilesize
4KB
-
memory/2588-207-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/2588-206-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/2588-200-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2588-201-0x000000000043773E-mapping.dmp
-
memory/2860-151-0x0000000000000000-mapping.dmp
-
memory/2864-184-0x0000000006EE3000-0x0000000006EE4000-memory.dmpFilesize
4KB
-
memory/2864-185-0x0000000006EE4000-0x0000000006EE6000-memory.dmpFilesize
8KB
-
memory/2864-169-0x0000000006EE2000-0x0000000006EE3000-memory.dmpFilesize
4KB
-
memory/2864-168-0x0000000006EE0000-0x0000000006EE1000-memory.dmpFilesize
4KB
-
memory/2864-157-0x0000000000000000-mapping.dmp
-
memory/3396-135-0x0000000000000000-mapping.dmp
-
memory/4076-176-0x0000000000000000-mapping.dmp
-
memory/4076-188-0x0000000006C82000-0x0000000006C83000-memory.dmpFilesize
4KB
-
memory/4076-210-0x0000000006C84000-0x0000000006C86000-memory.dmpFilesize
8KB
-
memory/4076-209-0x0000000006C83000-0x0000000006C84000-memory.dmpFilesize
4KB
-
memory/4076-187-0x0000000006C80000-0x0000000006C81000-memory.dmpFilesize
4KB