MRKU8781602.exe

General
Target

MRKU8781602.exe

Filesize

612KB

Completed

27-07-2021 18:38

Score
10 /10
MD5

bbed19abf6b369658b6996317e2e2067

SHA1

b252760938e016ea408efb75cab44defa95a6b17

SHA256

eddc270558f27cf00441f9056ca98264e14708d8202647bb461c371e6db85cdb

Malware Config

Extracted

Family agenttesla
C2

https://api.telegram.org/bot1633482536:AAF1JIS_DaayovuRrLGy_POYaI3DRc2CrPY/sendDocument

Signatures 11

Filter: none

Collection
Credential Access
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1016-67-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1016-68-0x000000000043779E-mapping.dmpfamily_agenttesla
    behavioral1/memory/1016-69-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    MRKU8781602.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 360 set thread context of 1016360MRKU8781602.exeMRKU8781602.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    564schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    MRKU8781602.exe

    Reported IOCs

    pidprocess
    1016MRKU8781602.exe
    1016MRKU8781602.exe
  • Suspicious use of AdjustPrivilegeToken
    MRKU8781602.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1016MRKU8781602.exe
  • Suspicious use of WriteProcessMemory
    MRKU8781602.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 360 wrote to memory of 564360MRKU8781602.exeschtasks.exe
    PID 360 wrote to memory of 564360MRKU8781602.exeschtasks.exe
    PID 360 wrote to memory of 564360MRKU8781602.exeschtasks.exe
    PID 360 wrote to memory of 564360MRKU8781602.exeschtasks.exe
    PID 360 wrote to memory of 1016360MRKU8781602.exeMRKU8781602.exe
    PID 360 wrote to memory of 1016360MRKU8781602.exeMRKU8781602.exe
    PID 360 wrote to memory of 1016360MRKU8781602.exeMRKU8781602.exe
    PID 360 wrote to memory of 1016360MRKU8781602.exeMRKU8781602.exe
    PID 360 wrote to memory of 1016360MRKU8781602.exeMRKU8781602.exe
    PID 360 wrote to memory of 1016360MRKU8781602.exeMRKU8781602.exe
    PID 360 wrote to memory of 1016360MRKU8781602.exeMRKU8781602.exe
    PID 360 wrote to memory of 1016360MRKU8781602.exeMRKU8781602.exe
    PID 360 wrote to memory of 1016360MRKU8781602.exeMRKU8781602.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe
    "C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gfrZGvetdgc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10D2.tmp"
      Creates scheduled task(s)
      PID:564
    • C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe
      "{path}"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1016
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\tmp10D2.tmp

                    MD5

                    eab2039d34706727b583f93dc5e00aed

                    SHA1

                    71341df86ff7132dbf4b627d58c543a0508ed7f5

                    SHA256

                    c6b26f51900d0f25c9def58b49e10b1d43f9643100321419c9607c643a2aca4d

                    SHA512

                    3565627c9790c51f261a5382665f59a96669f994eeafd7606f4f57c4fece6d8c23a4d8a04938c9ba87ce148c51546f112724933c17338ef170382c24ea117aac

                  • memory/360-61-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

                  • memory/360-62-0x0000000000390000-0x0000000000392000-memory.dmp

                  • memory/360-63-0x0000000005F90000-0x000000000600C000-memory.dmp

                  • memory/360-64-0x0000000000630000-0x000000000066D000-memory.dmp

                  • memory/360-59-0x0000000000C50000-0x0000000000C51000-memory.dmp

                  • memory/564-65-0x0000000000000000-mapping.dmp

                  • memory/1016-67-0x0000000000400000-0x000000000043C000-memory.dmp

                  • memory/1016-68-0x000000000043779E-mapping.dmp

                  • memory/1016-69-0x0000000000400000-0x000000000043C000-memory.dmp

                  • memory/1016-71-0x00000000042A0000-0x00000000042A1000-memory.dmp

                  • memory/1016-72-0x00000000042A1000-0x00000000042A2000-memory.dmp