8a56d6baa1eac6ca6208e74591221cbc

General
Target

8a56d6baa1eac6ca6208e74591221cbc.exe

Filesize

763KB

Completed

27-07-2021 16:35

Score
10 /10
MD5

8a56d6baa1eac6ca6208e74591221cbc

SHA1

9f057b5a90fdcee33dc2fa4f8f3424a3345186dd

SHA256

61ee3545921c4ddf2a41826b2425dc43b4902353a01798f5516e9afdf4a10d63

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.privateemail.com

Port: 587

Username: chamara.kuruppu@organigram-ca.icu

Password: HELPMEGOD@1321

Signatures 9

Filter: none

Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3848-126-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/3848-127-0x000000000043748E-mapping.dmpfamily_agenttesla
  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2192-121-0x0000000005190000-0x000000000519B000-memory.dmpCustAttr
  • Suspicious use of SetThreadContext
    8a56d6baa1eac6ca6208e74591221cbc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2192 set thread context of 384821928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1972schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    8a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe

    Reported IOCs

    pidprocess
    21928a56d6baa1eac6ca6208e74591221cbc.exe
    21928a56d6baa1eac6ca6208e74591221cbc.exe
    21928a56d6baa1eac6ca6208e74591221cbc.exe
    38488a56d6baa1eac6ca6208e74591221cbc.exe
    38488a56d6baa1eac6ca6208e74591221cbc.exe
  • Suspicious use of AdjustPrivilegeToken
    8a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege21928a56d6baa1eac6ca6208e74591221cbc.exe
    Token: SeDebugPrivilege38488a56d6baa1eac6ca6208e74591221cbc.exe
  • Suspicious use of WriteProcessMemory
    8a56d6baa1eac6ca6208e74591221cbc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2192 wrote to memory of 197221928a56d6baa1eac6ca6208e74591221cbc.exeschtasks.exe
    PID 2192 wrote to memory of 197221928a56d6baa1eac6ca6208e74591221cbc.exeschtasks.exe
    PID 2192 wrote to memory of 197221928a56d6baa1eac6ca6208e74591221cbc.exeschtasks.exe
    PID 2192 wrote to memory of 109221928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
    PID 2192 wrote to memory of 109221928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
    PID 2192 wrote to memory of 109221928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
    PID 2192 wrote to memory of 384821928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
    PID 2192 wrote to memory of 384821928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
    PID 2192 wrote to memory of 384821928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
    PID 2192 wrote to memory of 384821928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
    PID 2192 wrote to memory of 384821928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
    PID 2192 wrote to memory of 384821928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
    PID 2192 wrote to memory of 384821928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
    PID 2192 wrote to memory of 384821928a56d6baa1eac6ca6208e74591221cbc.exe8a56d6baa1eac6ca6208e74591221cbc.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\8a56d6baa1eac6ca6208e74591221cbc.exe
    "C:\Users\Admin\AppData\Local\Temp\8a56d6baa1eac6ca6208e74591221cbc.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wfjFhTUFwiTLXg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6080.tmp"
      Creates scheduled task(s)
      PID:1972
    • C:\Users\Admin\AppData\Local\Temp\8a56d6baa1eac6ca6208e74591221cbc.exe
      "C:\Users\Admin\AppData\Local\Temp\8a56d6baa1eac6ca6208e74591221cbc.exe"
      PID:1092
    • C:\Users\Admin\AppData\Local\Temp\8a56d6baa1eac6ca6208e74591221cbc.exe
      "C:\Users\Admin\AppData\Local\Temp\8a56d6baa1eac6ca6208e74591221cbc.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3848
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8a56d6baa1eac6ca6208e74591221cbc.exe.log

                        MD5

                        c3cc52ccca9ff2b6fa8d267fc350ca6b

                        SHA1

                        a68d4028333296d222e4afd75dea36fdc98d05f3

                        SHA256

                        3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

                        SHA512

                        b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

                      • C:\Users\Admin\AppData\Local\Temp\tmp6080.tmp

                        MD5

                        c0d0a50ecea5dbdfde26c1f0f11ce663

                        SHA1

                        4c5cca03fe37b057188a3e5c21af1e33e599f1c3

                        SHA256

                        ff4df6337bda84bb39afa095d47a47305ffd9eb32a19c6142da367e65771079b

                        SHA512

                        68569665fcc7e0e559fff097a3ba91c07a55782d01f68e1ef6eee1c18da4ff20c09b2371f0efbf95319f68abbda91ac27d0705e81093e8b1b0135e29c802e92b

                      • memory/1972-124-0x0000000000000000-mapping.dmp

                      • memory/2192-116-0x00000000051B0000-0x00000000051B1000-memory.dmp

                      • memory/2192-117-0x0000000004B80000-0x0000000004B81000-memory.dmp

                      • memory/2192-120-0x0000000002660000-0x0000000002661000-memory.dmp

                      • memory/2192-121-0x0000000005190000-0x000000000519B000-memory.dmp

                      • memory/2192-122-0x0000000008580000-0x0000000008602000-memory.dmp

                      • memory/2192-123-0x0000000008620000-0x000000000865D000-memory.dmp

                      • memory/2192-118-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

                      • memory/2192-119-0x0000000004B10000-0x0000000004B11000-memory.dmp

                      • memory/2192-114-0x0000000000210000-0x0000000000211000-memory.dmp

                      • memory/3848-127-0x000000000043748E-mapping.dmp

                      • memory/3848-126-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/3848-133-0x00000000029A0000-0x00000000029A1000-memory.dmp

                      • memory/3848-134-0x0000000005B30000-0x0000000005B31000-memory.dmp

                      • memory/3848-135-0x0000000005BD0000-0x0000000005BD1000-memory.dmp