Analysis
-
max time kernel
117s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 21:10
Static task
static1
Behavioral task
behavioral1
Sample
Ord 2354 png.exe
Resource
win7v20210408
General
-
Target
Ord 2354 png.exe
-
Size
841KB
-
MD5
48af5cf24f8c7fc448ecbfd55d18f426
-
SHA1
e3cf38df72fda964da45323b60bc9bd88abbee15
-
SHA256
4e9cbaacb1aaed119e375ac6799f97162442f24a14785e2371b44c5e76125abb
-
SHA512
378572ffde0731fd3e27761be19741548b3d82d6208542c124f4db415380453d67cec00b297932e8f7a2a02c784c289a62fee1df859372da0eccabdd1ccb30f2
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.palletsolutions.ca - Port:
587 - Username:
eloglogs@palletsolutions.ca - Password:
h~Q+QV.(M2?!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4008-147-0x00000000004375EE-mapping.dmp family_agenttesla behavioral2/memory/4008-146-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Ord 2354 png.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ord 2354 png.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ord 2354 png.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Ord 2354 png.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Ord 2354 png.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Ord 2354 png.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ord 2354 png.exedescription pid process target process PID 3624 set thread context of 4008 3624 Ord 2354 png.exe Ord 2354 png.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exeOrd 2354 png.exeOrd 2354 png.exepowershell.exepid process 916 powershell.exe 2156 powershell.exe 3624 Ord 2354 png.exe 4008 Ord 2354 png.exe 4008 Ord 2354 png.exe 916 powershell.exe 2156 powershell.exe 2652 powershell.exe 2652 powershell.exe 916 powershell.exe 2156 powershell.exe 2652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exeOrd 2354 png.exeOrd 2354 png.exepowershell.exedescription pid process Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 3624 Ord 2354 png.exe Token: SeDebugPrivilege 4008 Ord 2354 png.exe Token: SeDebugPrivilege 2652 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Ord 2354 png.exedescription pid process target process PID 3624 wrote to memory of 916 3624 Ord 2354 png.exe powershell.exe PID 3624 wrote to memory of 916 3624 Ord 2354 png.exe powershell.exe PID 3624 wrote to memory of 916 3624 Ord 2354 png.exe powershell.exe PID 3624 wrote to memory of 2156 3624 Ord 2354 png.exe powershell.exe PID 3624 wrote to memory of 2156 3624 Ord 2354 png.exe powershell.exe PID 3624 wrote to memory of 2156 3624 Ord 2354 png.exe powershell.exe PID 3624 wrote to memory of 3712 3624 Ord 2354 png.exe schtasks.exe PID 3624 wrote to memory of 3712 3624 Ord 2354 png.exe schtasks.exe PID 3624 wrote to memory of 3712 3624 Ord 2354 png.exe schtasks.exe PID 3624 wrote to memory of 2652 3624 Ord 2354 png.exe powershell.exe PID 3624 wrote to memory of 2652 3624 Ord 2354 png.exe powershell.exe PID 3624 wrote to memory of 2652 3624 Ord 2354 png.exe powershell.exe PID 3624 wrote to memory of 4008 3624 Ord 2354 png.exe Ord 2354 png.exe PID 3624 wrote to memory of 4008 3624 Ord 2354 png.exe Ord 2354 png.exe PID 3624 wrote to memory of 4008 3624 Ord 2354 png.exe Ord 2354 png.exe PID 3624 wrote to memory of 4008 3624 Ord 2354 png.exe Ord 2354 png.exe PID 3624 wrote to memory of 4008 3624 Ord 2354 png.exe Ord 2354 png.exe PID 3624 wrote to memory of 4008 3624 Ord 2354 png.exe Ord 2354 png.exe PID 3624 wrote to memory of 4008 3624 Ord 2354 png.exe Ord 2354 png.exe PID 3624 wrote to memory of 4008 3624 Ord 2354 png.exe Ord 2354 png.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GIorvZ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GIorvZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GIorvZ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
262ca81b109946e125b27601b13338c0
SHA1f7621f857ddb5244e5957578685c6d294ad83ef6
SHA256672b5dd55d5a205cff0a8adb596cffb60ca414df135b63e7973ce29214177af5
SHA512791f36a6ba7f38b9d3dd6e54b80e5daf61a5b74bd76fa3209e3d0c062790a7eb27fba61be558c4706535927db03737b8c1f54af2c559752e3b9d6039185afc36
-
C:\Users\Admin\AppData\Local\Temp\tmpFEF.tmpMD5
6ed16b7f224a02ba19eac1f15495ae49
SHA17fefe74ae7fcb535569c51d7419a9682001019c2
SHA256e076e5c8a12b49cf88dacf42c171797f21a28157358c835a39048dfc43892faf
SHA512629c40ad959e661394addeaed7bec4a701a255dc1eca627404eb2c715a518a9a65af3527f1dfc014fcf4050558299a6fff4dbaa16871a73fa4ba1cf3fa8e8fc2
-
memory/916-171-0x0000000008A30000-0x0000000008A31000-memory.dmpFilesize
4KB
-
memory/916-124-0x0000000000000000-mapping.dmp
-
memory/916-145-0x00000000080F0000-0x00000000080F1000-memory.dmpFilesize
4KB
-
memory/916-230-0x000000007E6D0000-0x000000007E6D1000-memory.dmpFilesize
4KB
-
memory/916-139-0x0000000007940000-0x0000000007941000-memory.dmpFilesize
4KB
-
memory/916-208-0x00000000097B0000-0x00000000097B1000-memory.dmpFilesize
4KB
-
memory/916-191-0x00000000097D0000-0x0000000009803000-memory.dmpFilesize
204KB
-
memory/916-138-0x0000000004F82000-0x0000000004F83000-memory.dmpFilesize
4KB
-
memory/916-162-0x00000000080C0000-0x00000000080C1000-memory.dmpFilesize
4KB
-
memory/916-128-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/916-129-0x00000000079B0000-0x00000000079B1000-memory.dmpFilesize
4KB
-
memory/916-277-0x0000000004F83000-0x0000000004F84000-memory.dmpFilesize
4KB
-
memory/916-165-0x0000000008B30000-0x0000000008B31000-memory.dmpFilesize
4KB
-
memory/916-136-0x00000000078A0000-0x00000000078A1000-memory.dmpFilesize
4KB
-
memory/916-137-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/2156-130-0x0000000000000000-mapping.dmp
-
memory/2156-140-0x0000000006620000-0x0000000006621000-memory.dmpFilesize
4KB
-
memory/2156-141-0x0000000006622000-0x0000000006623000-memory.dmpFilesize
4KB
-
memory/2156-221-0x00000000089F0000-0x00000000089F1000-memory.dmpFilesize
4KB
-
memory/2156-280-0x0000000006623000-0x0000000006624000-memory.dmpFilesize
4KB
-
memory/2156-232-0x000000007E580000-0x000000007E581000-memory.dmpFilesize
4KB
-
memory/2652-168-0x00000000067D0000-0x00000000067D1000-memory.dmpFilesize
4KB
-
memory/2652-170-0x00000000067D2000-0x00000000067D3000-memory.dmpFilesize
4KB
-
memory/2652-144-0x0000000000000000-mapping.dmp
-
memory/2652-284-0x00000000067D3000-0x00000000067D4000-memory.dmpFilesize
4KB
-
memory/2652-234-0x000000007EBB0000-0x000000007EBB1000-memory.dmpFilesize
4KB
-
memory/3624-123-0x0000000007460000-0x000000000749D000-memory.dmpFilesize
244KB
-
memory/3624-118-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/3624-114-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/3624-125-0x0000000009850000-0x0000000009851000-memory.dmpFilesize
4KB
-
memory/3624-116-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/3624-122-0x0000000008D50000-0x0000000008DD2000-memory.dmpFilesize
520KB
-
memory/3624-121-0x0000000005A30000-0x0000000005A4B000-memory.dmpFilesize
108KB
-
memory/3624-120-0x0000000005590000-0x0000000005A8E000-memory.dmpFilesize
5.0MB
-
memory/3624-117-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/3624-119-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/3712-131-0x0000000000000000-mapping.dmp
-
memory/4008-167-0x0000000005360000-0x000000000585E000-memory.dmpFilesize
5.0MB
-
memory/4008-147-0x00000000004375EE-mapping.dmp
-
memory/4008-146-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB