Overview

overview

10

Static

static

Ord 2354 png.exe

windows7_x64

10

Ord 2354 png.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ord 2354 png.exe

  • Size

    841KB

  • MD5

    48af5cf24f8c7fc448ecbfd55d18f426

  • SHA1

    e3cf38df72fda964da45323b60bc9bd88abbee15

  • SHA256

    4e9cbaacb1aaed119e375ac6799f97162442f24a14785e2371b44c5e76125abb

  • SHA512

    378572ffde0731fd3e27761be19741548b3d82d6208542c124f4db415380453d67cec00b297932e8f7a2a02c784c289a62fee1df859372da0eccabdd1ccb30f2

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.palletsolutions.ca
  • Port:
    587
  • Username:
    eloglogs@palletsolutions.ca
  • Password:
    h~Q+QV.(M2?!

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe
    "C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4428
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GIorvZ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GIorvZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF55.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4388
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GIorvZ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:644
    • C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe
      "C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    253c8476da4f7867a94e39133112a313

    SHA1

    317bb2946701db8e05612f313dc68e8c7988d592

    SHA256

    9e2dbe308d1e5580d00f3ef7ac6182bd6e704fd8002a5a253163686954d0404f

    SHA512

    13169432356bbeb48f0e4d7a9c8d40290696fc6d6a61a220e9920a59971cc971fbcb855dece8c6d6c062a98b50a778e2b8771fb68b266653a3bcd9ca27834aa5

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    0e4be592164635acbff650abbd21f325

    SHA1

    0bcaf547106c995225fdbb5f64f2ca21969aa378

    SHA256

    952215534659d3bedac2db0c8b6010e34acc84451517e7c95c9955ee3bc196d7

    SHA512

    b09f78e2fb95c41c359f47cd58c4cbac7ec704a6cecc1047c3f4a9e378e66e7a27ee522a1514a567fe39fae57a086f3c97790dcc80c02c2b87df7b35a092b796

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpFF55.tmp
    MD5

    6ed16b7f224a02ba19eac1f15495ae49

    SHA1

    7fefe74ae7fcb535569c51d7419a9682001019c2

    SHA256

    e076e5c8a12b49cf88dacf42c171797f21a28157358c835a39048dfc43892faf

    SHA512

    629c40ad959e661394addeaed7bec4a701a255dc1eca627404eb2c715a518a9a65af3527f1dfc014fcf4050558299a6fff4dbaa16871a73fa4ba1cf3fa8e8fc2

    Download Submit
  • memory/644-280-0x0000000007383000-0x0000000007384000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-227-0x000000007F720000-0x000000007F721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-160-0x0000000007382000-0x0000000007383000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-158-0x0000000007380000-0x0000000007381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-141-0x0000000000000000-mapping.dmp
    Download
  • memory/1800-151-0x00000000072D0000-0x00000000072D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-209-0x0000000009260000-0x0000000009261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-128-0x0000000004730000-0x0000000004731000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-129-0x00000000074C0000-0x00000000074C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-223-0x000000007F2B0000-0x000000007F2B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-131-0x00000000071B0000-0x00000000071B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-225-0x0000000006E83000-0x0000000006E84000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-133-0x0000000007330000-0x0000000007331000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-135-0x0000000007BC0000-0x0000000007BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-124-0x0000000000000000-mapping.dmp
    Download
  • memory/1800-222-0x0000000009550000-0x0000000009551000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-198-0x00000000091F0000-0x00000000091F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-187-0x0000000009210000-0x0000000009243000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1800-166-0x00000000082B0000-0x00000000082B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-154-0x00000000081A0000-0x00000000081A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-156-0x0000000006E80000-0x0000000006E81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1800-161-0x0000000006E82000-0x0000000006E83000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2840-224-0x000000007FB50000-0x000000007FB51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2840-229-0x0000000000E73000-0x0000000000E74000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2840-163-0x0000000000E72000-0x0000000000E73000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2840-162-0x0000000000E70000-0x0000000000E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2840-130-0x0000000000000000-mapping.dmp
    Download
  • memory/3204-164-0x0000000004E30000-0x000000000532E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3204-143-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3204-144-0x00000000004375EE-mapping.dmp
    Download
  • memory/4388-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4428-121-0x0000000005590000-0x00000000055AB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4428-114-0x0000000000900000-0x0000000000901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4428-123-0x00000000011F0000-0x000000000122D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/4428-125-0x0000000009440000-0x0000000009441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4428-120-0x0000000005210000-0x0000000005211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4428-122-0x0000000007010000-0x0000000007092000-memory.dmp
    Filesize

    520KB

    Download
  • memory/4428-119-0x00000000051C0000-0x0000000005252000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4428-118-0x0000000005340000-0x0000000005341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4428-117-0x0000000005260000-0x0000000005261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4428-116-0x0000000005840000-0x0000000005841000-memory.dmp
    Filesize

    4KB

    Download