fda.exe

max time kernel139s
max time network112s
platformwindows10_x64
resourcewin10v20210408
submitted27-07-2021 15:03

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

fda.exe

Filesize

909KB

Completed

27-07-2021 15:05

Score

10^/10

MD5

9988685bdb69c34939c270df2eff6d47

SHA1

b4aa67fe963f14a8ac6220d8953960a86d7bcdd1

SHA256

f367ab08d8884ebda2ca7101fa509d1216f66c9e788d1b729ce605959f2f57ca

Extracted

Family	agenttesla
Credentials	Protocol: smtp Host: smtp.vivaldi.net Port: 587 Username: faithkingsley@vivaldi.net Password: kingsofkings123

Defense Evasion

Discovery

Persistence

AgentTesla

Description

Agent Tesla is a remote access tool (RAT) written in visual basic.

Tags

keylogger trojan stealer spyware agenttesla

AgentTesla Payload

Reported IOCs

resource	yara_rule
behavioral2/memory/3820-126-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3820-127-0x000000000043782E-mapping.dmp	family_agenttesla

Drops file in Drivers directory
RegSvcs.exe

Reported IOCs

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Adds Run key to start application

RegSvcs.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLxES = "C:\\Users\\Admin\\AppData\\Roaming\\DLxES\\DLxES.exe"	RegSvcs.exe

Suspicious use of SetThreadContext
fda.exe

Reported IOCs

description pid process target process

PID 776 set thread context of 3820 776 fda.exe RegSvcs.exe
Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery
Creates scheduled task(s)
schtasks.exe

Description

Schtasks is often used by malware for persistence or to perform post-infection execution.

Tags

persistence

TTPs

Scheduled Task

Reported IOCs

pid process

2124 schtasks.exe
Suspicious behavior: EnumeratesProcesses
fda.exeRegSvcs.exe

Reported IOCs

pid process

776 fda.exe
3820 RegSvcs.exe
3820 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken
fda.exeRegSvcs.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 776 fda.exe
Token: SeDebugPrivilege 3820 RegSvcs.exe
Suspicious use of SetWindowsHookEx
RegSvcs.exe

Reported IOCs

pid process

3820 RegSvcs.exe

description	pid	process	target process
PID 776 set thread context of 3820	776	fda.exe	RegSvcs.exe

pid	process
2124	schtasks.exe

pid	process
776	fda.exe
3820	RegSvcs.exe
3820	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	776	fda.exe
Token: SeDebugPrivilege	3820	RegSvcs.exe

pid	process
3820	RegSvcs.exe

Suspicious use of WriteProcessMemory

fda.exe

Reported IOCs

description	pid	process	target process
PID 776 wrote to memory of 2124	776	fda.exe	schtasks.exe
PID 776 wrote to memory of 2124	776	fda.exe	schtasks.exe
PID 776 wrote to memory of 2124	776	fda.exe	schtasks.exe
PID 776 wrote to memory of 3820	776	fda.exe	RegSvcs.exe
PID 776 wrote to memory of 3820	776	fda.exe	RegSvcs.exe
PID 776 wrote to memory of 3820	776	fda.exe	RegSvcs.exe
PID 776 wrote to memory of 3820	776	fda.exe	RegSvcs.exe
PID 776 wrote to memory of 3820	776	fda.exe	RegSvcs.exe
PID 776 wrote to memory of 3820	776	fda.exe	RegSvcs.exe
PID 776 wrote to memory of 3820	776	fda.exe	RegSvcs.exe
PID 776 wrote to memory of 3820	776	fda.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\fda.exe

"C:\Users\Admin\AppData\Local\Temp\fda.exe"

Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:776

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XwsFwyhNyFwyE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDFA7.tmp"

Creates scheduled task(s)

PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Drops file in Drivers directory
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx

PID:3820

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\tmpDFA7.tmp
MD5
153e86c8b27e44232359812a3e52cbb4

SHA1
f5d8430fbffd44992228740e4a857f4ae20cb947

SHA256
6475d0d31ec237b57c756796ab0a1cefe53279de62fa80bc069719dcce17c248

SHA512
d6ff85c1424d12f384df870629a72a8c75600110adb8a71d5bc1e9a80fab2b94370c67a5186f7a035755413876d723e07a4abe92db2bb501460d8e8b3b94aa13

Download Submit
memory/776-116-0x00000000055B0000-0x00000000055B1000-memory.dmp

Download
memory/776-117-0x0000000005150000-0x0000000005151000-memory.dmp

Download
memory/776-118-0x00000000050B0000-0x00000000055AE000-memory.dmp

Download
memory/776-119-0x00000000050E0000-0x00000000050E1000-memory.dmp

Download
memory/776-120-0x0000000007760000-0x0000000007761000-memory.dmp

Download
memory/776-121-0x0000000005240000-0x0000000005242000-memory.dmp

Download
memory/776-122-0x00000000073F0000-0x00000000074A6000-memory.dmp

Download
memory/776-123-0x000000000A040000-0x000000000A0B2000-memory.dmp

Download
memory/776-114-0x00000000007B0000-0x00000000007B1000-memory.dmp

Download
memory/2124-124-0x0000000000000000-mapping.dmp

Download
memory/3820-126-0x0000000000400000-0x000000000043C000-memory.dmp

Download
memory/3820-127-0x000000000043782E-mapping.dmp

Download
memory/3820-132-0x0000000004E30000-0x0000000004E31000-memory.dmp

Download
memory/3820-133-0x00000000052E0000-0x00000000052E1000-memory.dmp

Download
memory/3820-134-0x0000000005A90000-0x0000000005A91000-memory.dmp

Download
memory/3820-137-0x0000000004E31000-0x0000000004E32000-memory.dmp

Download

fda.exe

Extracted

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Description

TTPs

Description

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title