Analysis
-
max time kernel
146s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 21:17
Static task
static1
Behavioral task
behavioral1
Sample
Copia de pago jpg.exe
Resource
win7v20210408
General
-
Target
Copia de pago jpg.exe
-
Size
1.1MB
-
MD5
38e13fcd219f49d7cca9c8be57ac6ef0
-
SHA1
637a26e5e069a3262511666304aa07fb3c8cba00
-
SHA256
0ed4dcb3b64eb9b43a02b433a6232b64196bf369c3b2c50ce5342c8e9f4fdcd3
-
SHA512
e046dd4a80d171dff6e33e2eb48425a85f42361d597549b75968ee11a9a076367ef8228958ef259d3a90dc44f40159cfe73f9778c70d5d933d2e5b55b589074e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.palletsolutions.ca - Port:
587 - Username:
eloglogs@palletsolutions.ca - Password:
h~Q+QV.(M2?!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/388-147-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/388-148-0x00000000004375EE-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Copia de pago jpg.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Copia de pago jpg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Copia de pago jpg.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Copia de pago jpg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Copia de pago jpg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Copia de pago jpg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Copia de pago jpg.exedescription pid process target process PID 3920 set thread context of 388 3920 Copia de pago jpg.exe Copia de pago jpg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exeCopia de pago jpg.exeCopia de pago jpg.exepowershell.exepid process 1636 powershell.exe 1636 powershell.exe 2732 powershell.exe 3920 Copia de pago jpg.exe 3920 Copia de pago jpg.exe 3920 Copia de pago jpg.exe 2732 powershell.exe 388 Copia de pago jpg.exe 388 Copia de pago jpg.exe 2288 powershell.exe 1636 powershell.exe 2288 powershell.exe 2732 powershell.exe 2288 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exeCopia de pago jpg.exeCopia de pago jpg.exepowershell.exedescription pid process Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 3920 Copia de pago jpg.exe Token: SeDebugPrivilege 388 Copia de pago jpg.exe Token: SeDebugPrivilege 2288 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Copia de pago jpg.exepid process 388 Copia de pago jpg.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Copia de pago jpg.exedescription pid process target process PID 3920 wrote to memory of 1636 3920 Copia de pago jpg.exe powershell.exe PID 3920 wrote to memory of 1636 3920 Copia de pago jpg.exe powershell.exe PID 3920 wrote to memory of 1636 3920 Copia de pago jpg.exe powershell.exe PID 3920 wrote to memory of 2732 3920 Copia de pago jpg.exe powershell.exe PID 3920 wrote to memory of 2732 3920 Copia de pago jpg.exe powershell.exe PID 3920 wrote to memory of 2732 3920 Copia de pago jpg.exe powershell.exe PID 3920 wrote to memory of 2132 3920 Copia de pago jpg.exe schtasks.exe PID 3920 wrote to memory of 2132 3920 Copia de pago jpg.exe schtasks.exe PID 3920 wrote to memory of 2132 3920 Copia de pago jpg.exe schtasks.exe PID 3920 wrote to memory of 2288 3920 Copia de pago jpg.exe powershell.exe PID 3920 wrote to memory of 2288 3920 Copia de pago jpg.exe powershell.exe PID 3920 wrote to memory of 2288 3920 Copia de pago jpg.exe powershell.exe PID 3920 wrote to memory of 2292 3920 Copia de pago jpg.exe Copia de pago jpg.exe PID 3920 wrote to memory of 2292 3920 Copia de pago jpg.exe Copia de pago jpg.exe PID 3920 wrote to memory of 2292 3920 Copia de pago jpg.exe Copia de pago jpg.exe PID 3920 wrote to memory of 388 3920 Copia de pago jpg.exe Copia de pago jpg.exe PID 3920 wrote to memory of 388 3920 Copia de pago jpg.exe Copia de pago jpg.exe PID 3920 wrote to memory of 388 3920 Copia de pago jpg.exe Copia de pago jpg.exe PID 3920 wrote to memory of 388 3920 Copia de pago jpg.exe Copia de pago jpg.exe PID 3920 wrote to memory of 388 3920 Copia de pago jpg.exe Copia de pago jpg.exe PID 3920 wrote to memory of 388 3920 Copia de pago jpg.exe Copia de pago jpg.exe PID 3920 wrote to memory of 388 3920 Copia de pago jpg.exe Copia de pago jpg.exe PID 3920 wrote to memory of 388 3920 Copia de pago jpg.exe Copia de pago jpg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mnhgRVvmyYRiXl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mnhgRVvmyYRiXl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAA7E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mnhgRVvmyYRiXl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
68037de51874570004bbd95ce0c53689
SHA1232bd58fbf4e3b8690b20b2a1dac010ee4b809e4
SHA256d25eb742a28d3319016b0c3d5005e3368e5bd2e77a824a5cc1bf107c1cd67805
SHA5123c89aeb3fde00d9fa23508d1b55126abaca17c8a756c1f759265510b9d48fe145b51eee78d3830837eef534e30219456cdee134c33f9d9accec711e687e45004
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
68037de51874570004bbd95ce0c53689
SHA1232bd58fbf4e3b8690b20b2a1dac010ee4b809e4
SHA256d25eb742a28d3319016b0c3d5005e3368e5bd2e77a824a5cc1bf107c1cd67805
SHA5123c89aeb3fde00d9fa23508d1b55126abaca17c8a756c1f759265510b9d48fe145b51eee78d3830837eef534e30219456cdee134c33f9d9accec711e687e45004
-
C:\Users\Admin\AppData\Local\Temp\tmpAA7E.tmpMD5
458a9b3440c1a72efc5b47d2cbbb5a17
SHA14585c9734371559e4b6a0d74a646ab0ed0e7a4d9
SHA256d8f0fc3885542c60ec8358639eb98d6fd1ea289cec7348925ab8737feb86707b
SHA512fa1af184a02c8bf0e4236c13cde40fa1bdf4104395eeac1dd5c55000f62b2e75f36b42af4838724a3c3dd0c29f855acf5b08564c7335a34610b1a93ef0f29cac
-
memory/388-165-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/388-890-0x00000000053E1000-0x00000000053E2000-memory.dmpFilesize
4KB
-
memory/388-148-0x00000000004375EE-mapping.dmp
-
memory/388-147-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1636-129-0x0000000004880000-0x0000000004881000-memory.dmpFilesize
4KB
-
memory/1636-134-0x00000000079E0000-0x00000000079E1000-memory.dmpFilesize
4KB
-
memory/1636-125-0x0000000000000000-mapping.dmp
-
memory/1636-158-0x00000000048D2000-0x00000000048D3000-memory.dmpFilesize
4KB
-
memory/1636-156-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1636-130-0x0000000007340000-0x0000000007341000-memory.dmpFilesize
4KB
-
memory/1636-235-0x000000007F450000-0x000000007F451000-memory.dmpFilesize
4KB
-
memory/1636-153-0x0000000008580000-0x0000000008581000-memory.dmpFilesize
4KB
-
memory/1636-132-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/1636-166-0x00000000083B0000-0x00000000083B1000-memory.dmpFilesize
4KB
-
memory/1636-136-0x0000000007D10000-0x0000000007D11000-memory.dmpFilesize
4KB
-
memory/1636-151-0x0000000007A70000-0x0000000007A71000-memory.dmpFilesize
4KB
-
memory/1636-241-0x00000000048D3000-0x00000000048D4000-memory.dmpFilesize
4KB
-
memory/2132-133-0x0000000000000000-mapping.dmp
-
memory/2288-146-0x0000000000000000-mapping.dmp
-
memory/2288-291-0x0000000004B03000-0x0000000004B04000-memory.dmpFilesize
4KB
-
memory/2288-237-0x000000007FC70000-0x000000007FC71000-memory.dmpFilesize
4KB
-
memory/2288-161-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/2288-164-0x0000000004B02000-0x0000000004B03000-memory.dmpFilesize
4KB
-
memory/2732-192-0x0000000009860000-0x0000000009893000-memory.dmpFilesize
204KB
-
memory/2732-217-0x0000000009990000-0x0000000009991000-memory.dmpFilesize
4KB
-
memory/2732-162-0x0000000007282000-0x0000000007283000-memory.dmpFilesize
4KB
-
memory/2732-131-0x0000000000000000-mapping.dmp
-
memory/2732-240-0x0000000007283000-0x0000000007284000-memory.dmpFilesize
4KB
-
memory/2732-159-0x0000000007280000-0x0000000007281000-memory.dmpFilesize
4KB
-
memory/2732-232-0x000000007F520000-0x000000007F521000-memory.dmpFilesize
4KB
-
memory/2732-207-0x0000000009620000-0x0000000009621000-memory.dmpFilesize
4KB
-
memory/3920-124-0x00000000092F0000-0x0000000009329000-memory.dmpFilesize
228KB
-
memory/3920-114-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/3920-123-0x0000000009220000-0x000000000929E000-memory.dmpFilesize
504KB
-
memory/3920-122-0x00000000091B0000-0x00000000091CB000-memory.dmpFilesize
108KB
-
memory/3920-126-0x0000000009530000-0x0000000009531000-memory.dmpFilesize
4KB
-
memory/3920-121-0x0000000005770000-0x000000000580C000-memory.dmpFilesize
624KB
-
memory/3920-120-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/3920-119-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/3920-118-0x00000000059A0000-0x00000000059A1000-memory.dmpFilesize
4KB
-
memory/3920-117-0x0000000005E00000-0x0000000005E01000-memory.dmpFilesize
4KB
-
memory/3920-116-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB