fda.exe

General
Target

fda.exe

Filesize

909KB

Completed

27-07-2021 15:05

Score
10/10
MD5

9988685bdb69c34939c270df2eff6d47

SHA1

b4aa67fe963f14a8ac6220d8953960a86d7bcdd1

SHA256

f367ab08d8884ebda2ca7101fa509d1216f66c9e788d1b729ce605959f2f57ca

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: smtp.vivaldi.net

Port: 587

Username: faithkingsley@vivaldi.net

Password: kingsofkings123

Signatures 11

Filter: none

Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3820-126-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/3820-127-0x000000000043782E-mapping.dmpfamily_agenttesla
  • Drops file in Drivers directory
    RegSvcs.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsRegSvcs.exe
  • Adds Run key to start application
    RegSvcs.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLxES = "C:\\Users\\Admin\\AppData\\Roaming\\DLxES\\DLxES.exe"RegSvcs.exe
  • Suspicious use of SetThreadContext
    fda.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 776 set thread context of 3820776fda.exeRegSvcs.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    2124schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    fda.exeRegSvcs.exe

    Reported IOCs

    pidprocess
    776fda.exe
    3820RegSvcs.exe
    3820RegSvcs.exe
  • Suspicious use of AdjustPrivilegeToken
    fda.exeRegSvcs.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege776fda.exe
    Token: SeDebugPrivilege3820RegSvcs.exe
  • Suspicious use of SetWindowsHookEx
    RegSvcs.exe

    Reported IOCs

    pidprocess
    3820RegSvcs.exe
  • Suspicious use of WriteProcessMemory
    fda.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 776 wrote to memory of 2124776fda.exeschtasks.exe
    PID 776 wrote to memory of 2124776fda.exeschtasks.exe
    PID 776 wrote to memory of 2124776fda.exeschtasks.exe
    PID 776 wrote to memory of 3820776fda.exeRegSvcs.exe
    PID 776 wrote to memory of 3820776fda.exeRegSvcs.exe
    PID 776 wrote to memory of 3820776fda.exeRegSvcs.exe
    PID 776 wrote to memory of 3820776fda.exeRegSvcs.exe
    PID 776 wrote to memory of 3820776fda.exeRegSvcs.exe
    PID 776 wrote to memory of 3820776fda.exeRegSvcs.exe
    PID 776 wrote to memory of 3820776fda.exeRegSvcs.exe
    PID 776 wrote to memory of 3820776fda.exeRegSvcs.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\fda.exe
    "C:\Users\Admin\AppData\Local\Temp\fda.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:776
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XwsFwyhNyFwyE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDFA7.tmp"
      Creates scheduled task(s)
      PID:2124
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3820
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\tmpDFA7.tmp

                      MD5

                      153e86c8b27e44232359812a3e52cbb4

                      SHA1

                      f5d8430fbffd44992228740e4a857f4ae20cb947

                      SHA256

                      6475d0d31ec237b57c756796ab0a1cefe53279de62fa80bc069719dcce17c248

                      SHA512

                      d6ff85c1424d12f384df870629a72a8c75600110adb8a71d5bc1e9a80fab2b94370c67a5186f7a035755413876d723e07a4abe92db2bb501460d8e8b3b94aa13

                    • memory/776-116-0x00000000055B0000-0x00000000055B1000-memory.dmp

                    • memory/776-117-0x0000000005150000-0x0000000005151000-memory.dmp

                    • memory/776-118-0x00000000050B0000-0x00000000055AE000-memory.dmp

                    • memory/776-119-0x00000000050E0000-0x00000000050E1000-memory.dmp

                    • memory/776-120-0x0000000007760000-0x0000000007761000-memory.dmp

                    • memory/776-121-0x0000000005240000-0x0000000005242000-memory.dmp

                    • memory/776-122-0x00000000073F0000-0x00000000074A6000-memory.dmp

                    • memory/776-123-0x000000000A040000-0x000000000A0B2000-memory.dmp

                    • memory/776-114-0x00000000007B0000-0x00000000007B1000-memory.dmp

                    • memory/2124-124-0x0000000000000000-mapping.dmp

                    • memory/3820-126-0x0000000000400000-0x000000000043C000-memory.dmp

                    • memory/3820-127-0x000000000043782E-mapping.dmp

                    • memory/3820-132-0x0000000004E30000-0x0000000004E31000-memory.dmp

                    • memory/3820-133-0x00000000052E0000-0x00000000052E1000-memory.dmp

                    • memory/3820-134-0x0000000005A90000-0x0000000005A91000-memory.dmp

                    • memory/3820-137-0x0000000004E31000-0x0000000004E32000-memory.dmp