Analysis
-
max time kernel
145s -
max time network
38s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 21:43
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe
Resource
win10v20210410
General
-
Target
SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe
-
Size
877KB
-
MD5
62b3afbdddfb88d96f76df2afd3bd8f2
-
SHA1
02d47da3c2f80960e94abbd69a316c0ef9cbc298
-
SHA256
232d3e2c32dfde5713153e9ba4a2c08b6e51766f5eef4575a821410edef4a495
-
SHA512
4b1838c2bf67f7d567d2276b06aa5b4797ef017f0c1208307ebc0a13bd344ff6d2a81e96c7daf89c8f9c5c34a7141f7d936196792dc7aa79a86b370c9b6eba44
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
uscentral50.myserverhosts.com - Port:
587 - Username:
sales@radheatwaters.com - Password:
waters@789
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/916-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/916-66-0x000000000043763E-mapping.dmp family_agenttesla behavioral1/memory/916-67-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/980-62-0x00000000001C0000-0x00000000001CB000-memory.dmp CustAttr -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\NXLun = "C:\\Users\\Admin\\AppData\\Roaming\\NXLun\\NXLun.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exedescription pid process target process PID 980 set thread context of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 916 RegSvcs.exe 916 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 916 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exedescription pid process target process PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe PID 980 wrote to memory of 916 980 SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/916-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/916-66-0x000000000043763E-mapping.dmp
-
memory/916-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/916-69-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/916-70-0x00000000049D1000-0x00000000049D2000-memory.dmpFilesize
4KB
-
memory/980-59-0x00000000013B0000-0x00000000013B1000-memory.dmpFilesize
4KB
-
memory/980-61-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/980-62-0x00000000001C0000-0x00000000001CB000-memory.dmpFilesize
44KB
-
memory/980-63-0x0000000004DF0000-0x0000000004E72000-memory.dmpFilesize
520KB
-
memory/980-64-0x0000000000500000-0x000000000053D000-memory.dmpFilesize
244KB