Analysis
-
max time kernel
116s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 16:18
General
-
Target
PO_DEA83657-ARF-(QR - 0621).exe
-
Size
943KB
-
MD5
465925dd7f0d7f41b5fff771e3cb8358
-
SHA1
a7aa00da7f562e127c66e0c63b13ddde78fc3b08
-
SHA256
9a5ea80dc3f334116c002ab185a5f54f80c72bcd11fcf5051b0a2e3a7704a3df
-
SHA512
28c8db63e8706692d8350c1bb90b7f3a9ff37f3e66e5e3f96dfff34b7f0b6915525e156d08313e541086e6c1bac94e1c7d00060c83a0ac31354755290de493e5
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.aetheredbs.com - Port:
587 - Username:
purchase1@aetheredbs.com - Password:
AtVywhA4
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe"C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SEkpoTgSjrLn.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SEkpoTgSjrLn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp202B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe"C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe"C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SEkpoTgSjrLn.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
e76c92e61c898b9e5c1fae768e4a645e
SHA12baf5d2becac13143af0782a5096e2fe26f59c61
SHA25685c23cfd4ac087db31919a488500d5a654f92ff1c8cd8e07a2c2f0fcbcc8b7fc
SHA512089000525cac9147d3bced5c55c3ba546760459a3aa4a813ba7330f96bbdb799f5bd9b30ac98d06daa44e09fdceed9be01c048b7353c48e4c29a9ed822a1346d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
fb9bfee4e61e790bd56627077d5edddd
SHA1f631e610c31bad5fda8c039c29e9d464f12faeea
SHA2569d9acd8d9b97cdf086fec42527fd1b1f549845ed88a95e9a908547c6748b6fca
SHA512e3e059e976b04944ca28aa568a3a2fd4dc317ca14853a4bcde9290576e7b5fc1507df57544ebb0c496f0f86cd52943441b9229371758a3fa282d51579ea1d6bd
-
C:\Users\Admin\AppData\Local\Temp\tmp202B.tmpMD5
b8364310b7eede01f7451d48cdb99d1e
SHA1aa7d41d76181cc72f9cca4ad83a224a15aba6e59
SHA256f758924fd21119347b4c65f137595c2011e5f7d3b4e45bb2bc4feb9c22682172
SHA512255796816837cdd201ccef7ea2990ad6e7fb0ef221a4644888bcdc0f4dd546531aa6a61c4a89c710e8563aed87ebbe4424d7f23144840b50549b9552289ea9f5
-
memory/988-271-0x0000000001263000-0x0000000001264000-memory.dmpFilesize
4KB
-
memory/988-268-0x000000007F9E0000-0x000000007F9E1000-memory.dmpFilesize
4KB
-
memory/988-164-0x0000000001262000-0x0000000001263000-memory.dmpFilesize
4KB
-
memory/988-162-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/988-146-0x0000000000000000-mapping.dmp
-
memory/2148-206-0x0000000009910000-0x0000000009911000-memory.dmpFilesize
4KB
-
memory/2148-159-0x0000000008B90000-0x0000000008B91000-memory.dmpFilesize
4KB
-
memory/2148-128-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/2148-129-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/2148-130-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/2148-131-0x0000000004E32000-0x0000000004E33000-memory.dmpFilesize
4KB
-
memory/2148-262-0x0000000004E33000-0x0000000004E34000-memory.dmpFilesize
4KB
-
memory/2148-215-0x000000007F9C0000-0x000000007F9C1000-memory.dmpFilesize
4KB
-
memory/2148-138-0x00000000078D0000-0x00000000078D1000-memory.dmpFilesize
4KB
-
memory/2148-124-0x0000000000000000-mapping.dmp
-
memory/2148-140-0x0000000007990000-0x0000000007991000-memory.dmpFilesize
4KB
-
memory/2148-144-0x0000000008220000-0x0000000008221000-memory.dmpFilesize
4KB
-
memory/2148-191-0x0000000009950000-0x0000000009983000-memory.dmpFilesize
204KB
-
memory/2148-168-0x0000000008990000-0x0000000008991000-memory.dmpFilesize
4KB
-
memory/2148-155-0x0000000008570000-0x0000000008571000-memory.dmpFilesize
4KB
-
memory/2764-218-0x00000000090A0000-0x00000000090A1000-memory.dmpFilesize
4KB
-
memory/2764-160-0x00000000011B0000-0x00000000011B1000-memory.dmpFilesize
4KB
-
memory/2764-265-0x00000000011B3000-0x00000000011B4000-memory.dmpFilesize
4KB
-
memory/2764-161-0x00000000011B2000-0x00000000011B3000-memory.dmpFilesize
4KB
-
memory/2764-132-0x0000000000000000-mapping.dmp
-
memory/2764-217-0x000000007ECE0000-0x000000007ECE1000-memory.dmpFilesize
4KB
-
memory/3172-120-0x0000000005100000-0x00000000055FE000-memory.dmpFilesize
5.0MB
-
memory/3172-119-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/3172-123-0x0000000007100000-0x000000000713C000-memory.dmpFilesize
240KB
-
memory/3172-114-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/3172-116-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/3172-121-0x00000000054A0000-0x00000000054BB000-memory.dmpFilesize
108KB
-
memory/3172-122-0x0000000007070000-0x00000000070F1000-memory.dmpFilesize
516KB
-
memory/3172-117-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/3172-125-0x0000000009460000-0x0000000009461000-memory.dmpFilesize
4KB
-
memory/3172-118-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/3984-163-0x0000000005240000-0x000000000573E000-memory.dmpFilesize
5.0MB
-
memory/3984-149-0x000000000043789E-mapping.dmp
-
memory/3984-148-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4032-133-0x0000000000000000-mapping.dmp