Overview

overview

10

Static

static

Ord 2354 png.exe

windows7_x64

10

Ord 2354 png.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ord 2354 png.exe

  • Size

    841KB

  • MD5

    48af5cf24f8c7fc448ecbfd55d18f426

  • SHA1

    e3cf38df72fda964da45323b60bc9bd88abbee15

  • SHA256

    4e9cbaacb1aaed119e375ac6799f97162442f24a14785e2371b44c5e76125abb

  • SHA512

    378572ffde0731fd3e27761be19741548b3d82d6208542c124f4db415380453d67cec00b297932e8f7a2a02c784c289a62fee1df859372da0eccabdd1ccb30f2

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.palletsolutions.ca
  • Port:
    587
  • Username:
    eloglogs@palletsolutions.ca
  • Password:
    h~Q+QV.(M2?!

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe
    "C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GIorvZ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2156
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GIorvZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEF.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3712
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GIorvZ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe
      "C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    262ca81b109946e125b27601b13338c0

    SHA1

    f7621f857ddb5244e5957578685c6d294ad83ef6

    SHA256

    672b5dd55d5a205cff0a8adb596cffb60ca414df135b63e7973ce29214177af5

    SHA512

    791f36a6ba7f38b9d3dd6e54b80e5daf61a5b74bd76fa3209e3d0c062790a7eb27fba61be558c4706535927db03737b8c1f54af2c559752e3b9d6039185afc36

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpFEF.tmp
    MD5

    6ed16b7f224a02ba19eac1f15495ae49

    SHA1

    7fefe74ae7fcb535569c51d7419a9682001019c2

    SHA256

    e076e5c8a12b49cf88dacf42c171797f21a28157358c835a39048dfc43892faf

    SHA512

    629c40ad959e661394addeaed7bec4a701a255dc1eca627404eb2c715a518a9a65af3527f1dfc014fcf4050558299a6fff4dbaa16871a73fa4ba1cf3fa8e8fc2

    Download Submit
  • memory/916-171-0x0000000008A30000-0x0000000008A31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-124-0x0000000000000000-mapping.dmp
    Download
  • memory/916-145-0x00000000080F0000-0x00000000080F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-230-0x000000007E6D0000-0x000000007E6D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-139-0x0000000007940000-0x0000000007941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-208-0x00000000097B0000-0x00000000097B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-191-0x00000000097D0000-0x0000000009803000-memory.dmp
    Filesize

    204KB

    Download
  • memory/916-138-0x0000000004F82000-0x0000000004F83000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-162-0x00000000080C0000-0x00000000080C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-128-0x0000000004F20000-0x0000000004F21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-129-0x00000000079B0000-0x00000000079B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-277-0x0000000004F83000-0x0000000004F84000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-165-0x0000000008B30000-0x0000000008B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-136-0x00000000078A0000-0x00000000078A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-137-0x0000000004F80000-0x0000000004F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2156-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2156-140-0x0000000006620000-0x0000000006621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2156-141-0x0000000006622000-0x0000000006623000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2156-221-0x00000000089F0000-0x00000000089F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2156-280-0x0000000006623000-0x0000000006624000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2156-232-0x000000007E580000-0x000000007E581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2652-168-0x00000000067D0000-0x00000000067D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2652-170-0x00000000067D2000-0x00000000067D3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2652-144-0x0000000000000000-mapping.dmp
    Download
  • memory/2652-284-0x00000000067D3000-0x00000000067D4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2652-234-0x000000007EBB0000-0x000000007EBB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3624-123-0x0000000007460000-0x000000000749D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/3624-118-0x0000000005770000-0x0000000005771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3624-114-0x0000000000D10000-0x0000000000D11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3624-125-0x0000000009850000-0x0000000009851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3624-116-0x0000000005A90000-0x0000000005A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3624-122-0x0000000008D50000-0x0000000008DD2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3624-121-0x0000000005A30000-0x0000000005A4B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3624-120-0x0000000005590000-0x0000000005A8E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3624-117-0x0000000005630000-0x0000000005631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3624-119-0x0000000005620000-0x0000000005621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3712-131-0x0000000000000000-mapping.dmp
    Download
  • memory/4008-167-0x0000000005360000-0x000000000585E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4008-147-0x00000000004375EE-mapping.dmp
    Download
  • memory/4008-146-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download