Analysis
-
max time kernel
133s -
max time network
44s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 14:23
Static task
static1
Behavioral task
behavioral1
Sample
fda.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
fda.exe
Resource
win10v20210408
General
-
Target
fda.exe
-
Size
840KB
-
MD5
8222e7bd5783b30d0a64b6f9e1aec2ab
-
SHA1
f8a8ba5d2dcffffe488c345134e324c97652d000
-
SHA256
d19edc2ae1e9d8c99b477c45960499e400afaad377a85475af9eebfc752cecd0
-
SHA512
e48b583915e4102173de672435af083ede63979030358dc60976f418ea0f860621c9d618733f694c8fd6e1bba6f8406ce587db4548262e0cac98e9cef67ed56a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
faithkingsley@vivaldi.net - Password:
kingsofkings123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1124-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1124-69-0x000000000043782E-mapping.dmp family_agenttesla behavioral1/memory/1124-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLxES = "C:\\Users\\Admin\\AppData\\Roaming\\DLxES\\DLxES.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fda.exedescription pid process target process PID 840 set thread context of 1124 840 fda.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
fda.exeRegSvcs.exepid process 840 fda.exe 1124 RegSvcs.exe 1124 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fda.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 840 fda.exe Token: SeDebugPrivilege 1124 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1124 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
fda.exedescription pid process target process PID 840 wrote to memory of 564 840 fda.exe schtasks.exe PID 840 wrote to memory of 564 840 fda.exe schtasks.exe PID 840 wrote to memory of 564 840 fda.exe schtasks.exe PID 840 wrote to memory of 564 840 fda.exe schtasks.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe PID 840 wrote to memory of 1124 840 fda.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fda.exe"C:\Users\Admin\AppData\Local\Temp\fda.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KDJpNdSGbsgn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3015.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3015.tmpMD5
780e6d656aaaa9db0a4691323fffbd0d
SHA106e48c223cbd4298d213194521b7581d4d94d4ca
SHA2568a24fe6fa4a1b160bca3696c9fbf9c5a50cf343b0574ce77651f9dfcac080984
SHA512525ca551a5f1412952fe8636b24988db4455c2b42410281e48577b85fedb55c7af0d516d98018c3a7de2d5264d6e44dfff1a958281179dfe3212d0380e570f87
-
memory/564-66-0x0000000000000000-mapping.dmp
-
memory/840-60-0x0000000001150000-0x0000000001151000-memory.dmpFilesize
4KB
-
memory/840-62-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/840-63-0x00000000003B0000-0x00000000003B2000-memory.dmpFilesize
8KB
-
memory/840-64-0x0000000005860000-0x00000000058FF000-memory.dmpFilesize
636KB
-
memory/840-65-0x0000000000BE0000-0x0000000000C3A000-memory.dmpFilesize
360KB
-
memory/1124-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1124-69-0x000000000043782E-mapping.dmp
-
memory/1124-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1124-72-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/1124-73-0x00000000049F1000-0x00000000049F2000-memory.dmpFilesize
4KB