Analysis
-
max time kernel
135s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 18:35
Static task
static1
Behavioral task
behavioral1
Sample
MRKU8781602.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
MRKU8781602.exe
Resource
win10v20210410
General
-
Target
MRKU8781602.exe
-
Size
612KB
-
MD5
bbed19abf6b369658b6996317e2e2067
-
SHA1
b252760938e016ea408efb75cab44defa95a6b17
-
SHA256
eddc270558f27cf00441f9056ca98264e14708d8202647bb461c371e6db85cdb
-
SHA512
94021a9caceef74dc3d3bc62e39ca056c71ea8e01683f81cde451187007d3adc6ece3640490be0797c1e2f8e2d54a7ece3a7f528fea08de6b0fa86efd4534579
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1633482536:AAF1JIS_DaayovuRrLGy_POYaI3DRc2CrPY/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2568-126-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2568-127-0x000000000043779E-mapping.dmp family_agenttesla behavioral2/memory/2568-133-0x0000000005140000-0x000000000563E000-memory.dmp family_agenttesla behavioral2/memory/2568-138-0x0000000005140000-0x000000000563E000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
MRKU8781602.exedescription pid process target process PID 3956 set thread context of 2568 3956 MRKU8781602.exe MRKU8781602.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
MRKU8781602.exeMRKU8781602.exepid process 3956 MRKU8781602.exe 3956 MRKU8781602.exe 2568 MRKU8781602.exe 2568 MRKU8781602.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MRKU8781602.exeMRKU8781602.exedescription pid process Token: SeDebugPrivilege 3956 MRKU8781602.exe Token: SeDebugPrivilege 2568 MRKU8781602.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
MRKU8781602.exedescription pid process target process PID 3956 wrote to memory of 1236 3956 MRKU8781602.exe schtasks.exe PID 3956 wrote to memory of 1236 3956 MRKU8781602.exe schtasks.exe PID 3956 wrote to memory of 1236 3956 MRKU8781602.exe schtasks.exe PID 3956 wrote to memory of 2356 3956 MRKU8781602.exe MRKU8781602.exe PID 3956 wrote to memory of 2356 3956 MRKU8781602.exe MRKU8781602.exe PID 3956 wrote to memory of 2356 3956 MRKU8781602.exe MRKU8781602.exe PID 3956 wrote to memory of 2568 3956 MRKU8781602.exe MRKU8781602.exe PID 3956 wrote to memory of 2568 3956 MRKU8781602.exe MRKU8781602.exe PID 3956 wrote to memory of 2568 3956 MRKU8781602.exe MRKU8781602.exe PID 3956 wrote to memory of 2568 3956 MRKU8781602.exe MRKU8781602.exe PID 3956 wrote to memory of 2568 3956 MRKU8781602.exe MRKU8781602.exe PID 3956 wrote to memory of 2568 3956 MRKU8781602.exe MRKU8781602.exe PID 3956 wrote to memory of 2568 3956 MRKU8781602.exe MRKU8781602.exe PID 3956 wrote to memory of 2568 3956 MRKU8781602.exe MRKU8781602.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe"C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gfrZGvetdgc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB183.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MRKU8781602.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
C:\Users\Admin\AppData\Local\Temp\tmpB183.tmpMD5
b894872524a9d595ed94e5e1030a6da9
SHA1f3ad129f563e1d4fd44965867d75c7b35bb0a51a
SHA2565078dea09a5b8eda9927d16c0ed504a35ea924a402353c6509beaef57f320944
SHA5124059f1cbec8877b57cd0c377768e9babae908aafb6c1a59e038781073c4461d0bc06439e777d1ba975e7a3ec282810c425756944f2bf00acf4903b20998112d1
-
memory/1236-124-0x0000000000000000-mapping.dmp
-
memory/2568-138-0x0000000005140000-0x000000000563E000-memory.dmpFilesize
5.0MB
-
memory/2568-135-0x0000000005DA0000-0x0000000005DA1000-memory.dmpFilesize
4KB
-
memory/2568-134-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/2568-133-0x0000000005140000-0x000000000563E000-memory.dmpFilesize
5.0MB
-
memory/2568-127-0x000000000043779E-mapping.dmp
-
memory/2568-126-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3956-119-0x0000000005880000-0x0000000005D7E000-memory.dmpFilesize
5.0MB
-
memory/3956-123-0x0000000007940000-0x000000000797D000-memory.dmpFilesize
244KB
-
memory/3956-122-0x0000000007A80000-0x0000000007AFC000-memory.dmpFilesize
496KB
-
memory/3956-121-0x0000000008EC0000-0x0000000008EC1000-memory.dmpFilesize
4KB
-
memory/3956-120-0x0000000005AC0000-0x0000000005AC2000-memory.dmpFilesize
8KB
-
memory/3956-114-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/3956-118-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/3956-117-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/3956-116-0x0000000005D80000-0x0000000005D81000-memory.dmpFilesize
4KB