TT COPY.exe

General
Target

TT COPY.exe

Filesize

988KB

Completed

27-07-2021 13:09

Score
10/10
MD5

197e571bfcf3f22816e245fef4f86b4f

SHA1

60df9b31aeb301c4c480da58f75be14d775cb604

SHA256

fc22aaa35e5504461dd5ace02d041f7715bc25acf329d2070e02e854b54d4de0

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: us2.smtp.mailhostbox.com

Port: 587

Username: paola.micheli@copangroup.xyz

Password: gibson.1990

Signatures 11

Filter: none

Collection
Credential Access
Defense Evasion
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/416-124-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/416-125-0x000000000043760E-mapping.dmpfamily_agenttesla
    behavioral2/memory/416-131-0x0000000004CB0000-0x00000000051AE000-memory.dmpfamily_agenttesla
  • Drops file in Drivers directory
    TT COPY.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsTT COPY.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    TT COPY.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NXLun = "C:\\Users\\Admin\\AppData\\Roaming\\NXLun\\NXLun.exe"TT COPY.exe
  • Suspicious use of SetThreadContext
    TT COPY.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 636 set thread context of 416636TT COPY.exeTT COPY.exe
  • Suspicious behavior: EnumeratesProcesses
    TT COPY.exe

    Reported IOCs

    pidprocess
    416TT COPY.exe
    416TT COPY.exe
  • Suspicious use of AdjustPrivilegeToken
    TT COPY.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege416TT COPY.exe
  • Suspicious use of WriteProcessMemory
    TT COPY.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 636 wrote to memory of 416636TT COPY.exeTT COPY.exe
    PID 636 wrote to memory of 416636TT COPY.exeTT COPY.exe
    PID 636 wrote to memory of 416636TT COPY.exeTT COPY.exe
    PID 636 wrote to memory of 416636TT COPY.exeTT COPY.exe
    PID 636 wrote to memory of 416636TT COPY.exeTT COPY.exe
    PID 636 wrote to memory of 416636TT COPY.exeTT COPY.exe
    PID 636 wrote to memory of 416636TT COPY.exeTT COPY.exe
    PID 636 wrote to memory of 416636TT COPY.exeTT COPY.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\TT COPY.exe
    "C:\Users\Admin\AppData\Local\Temp\TT COPY.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Local\Temp\TT COPY.exe
      "C:\Users\Admin\AppData\Local\Temp\TT COPY.exe"
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:416
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT COPY.exe.log

                    MD5

                    a31dce488913906093df2ebc9493f627

                    SHA1

                    70873fcb856c1614fd605128e926229b04c838d7

                    SHA256

                    7795df31e5563550e636a862760067408a3bd84f7c258376895f58d55cd6aebd

                    SHA512

                    5a0913b1d03510b58a9596d718c975cfdf3e9d570460caed07acebf5a4b19cf1cf729f2d4a1a33c832a761028030cf05da8dee5c34a4120b22f55a5f6d26c495

                  • memory/416-135-0x0000000000C50000-0x0000000000C51000-memory.dmp

                  • memory/416-133-0x0000000005A10000-0x0000000005A11000-memory.dmp

                  • memory/416-132-0x0000000005180000-0x0000000005181000-memory.dmp

                  • memory/416-131-0x0000000004CB0000-0x00000000051AE000-memory.dmp

                  • memory/416-125-0x000000000043760E-mapping.dmp

                  • memory/416-124-0x0000000000400000-0x000000000043C000-memory.dmp

                  • memory/636-123-0x0000000005B80000-0x0000000005B8F000-memory.dmp

                  • memory/636-122-0x0000000005CE0000-0x0000000005D48000-memory.dmp

                  • memory/636-121-0x0000000005A10000-0x0000000005A11000-memory.dmp

                  • memory/636-120-0x0000000005950000-0x0000000005E4E000-memory.dmp

                  • memory/636-119-0x0000000005C00000-0x0000000005C01000-memory.dmp

                  • memory/636-118-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

                  • memory/636-117-0x0000000005A40000-0x0000000005A41000-memory.dmp

                  • memory/636-116-0x0000000005E50000-0x0000000005E51000-memory.dmp

                  • memory/636-114-0x0000000000FD0000-0x0000000000FD1000-memory.dmp