Analysis

  • max time kernel
    110s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    27-07-2021 14:45

General

  • Target

    Order#732B9_130321 Pdf.exe

  • Size

    938KB

  • MD5

    193cd9e42d452e3523d04654c0ca883f

  • SHA1

    e13557a7ea1c29e4376187eccc9d000290cfb32c

  • SHA256

    d3eb7e966bf389f4139c625dea6d218f0969440101629a0e11302d0e547dee85

  • SHA512

    05425c70d5c785de3f89022f73862f6e568f3b054732ff16d69594268d8417bbdae8cdf0eb6cc98d29177662a2f6e98693f2d8891b9c2ccecda6b147e7e84c92

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.zoho.com
  • Port:
    587
  • Username:
    steinlogz@zohomail.com
  • Password:
    JesusChrist007

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order#732B9_130321 Pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Order#732B9_130321 Pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GntgGQe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp114F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1008
    • C:\Users\Admin\AppData\Local\Temp\Order#732B9_130321 Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Order#732B9_130321 Pdf.exe"
      2⤵
        PID:1488
      • C:\Users\Admin\AppData\Local\Temp\Order#732B9_130321 Pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Order#732B9_130321 Pdf.exe"
        2⤵
          PID:572
        • C:\Users\Admin\AppData\Local\Temp\Order#732B9_130321 Pdf.exe
          "C:\Users\Admin\AppData\Local\Temp\Order#732B9_130321 Pdf.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:740

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp114F.tmp
        MD5

        658dedee89bda497719df26b27d64c1b

        SHA1

        ac20a3e286c6b356b97a28df6704503c10008eb8

        SHA256

        01f216d8bab72754ea6f007e2e293b2994352d0d361bb224ded3a0eb1e406829

        SHA512

        528d0b346eef03cfcc9232b4c7151a368ca6ebc3072246927db3a4a82b93b43db6772f16db4de2504fdae1a38cb567972db6da90894bd5c20d1b987d651d2e1c

      • memory/740-69-0x00000000004375DE-mapping.dmp
      • memory/740-68-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

      • memory/740-70-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

      • memory/740-72-0x00000000049E0000-0x00000000049E1000-memory.dmp
        Filesize

        4KB

      • memory/1008-66-0x0000000000000000-mapping.dmp
      • memory/1420-60-0x00000000012C0000-0x00000000012C1000-memory.dmp
        Filesize

        4KB

      • memory/1420-62-0x0000000000E50000-0x0000000000E51000-memory.dmp
        Filesize

        4KB

      • memory/1420-63-0x0000000000510000-0x000000000052B000-memory.dmp
        Filesize

        108KB

      • memory/1420-64-0x0000000005EB0000-0x0000000005F31000-memory.dmp
        Filesize

        516KB

      • memory/1420-65-0x0000000000A50000-0x0000000000A8C000-memory.dmp
        Filesize

        240KB