attached TT PDF.exe

General
Target

attached TT PDF.exe

Filesize

789KB

Completed

27-07-2021 16:10

Score
10 /10
MD5

891f97173c0a90ed3d336e303908b38a

SHA1

49a4e10a12d5aec836cc2b1cfcfce3784446929b

SHA256

2f25825c264a731f59bdee108cdd8fdf062501404952294c7fdbd4e46d4ccc7e

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.esquiresweaters.com

Port: 587

Username: imam@esquiresweaters.com

Password: Esquire@#2078

Signatures 8

Filter: none

Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1112-69-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1112-70-0x000000000043766E-mapping.dmpfamily_agenttesla
    behavioral1/memory/1112-71-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Suspicious use of SetThreadContext
    attached TT PDF.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2004 set thread context of 11122004attached TT PDF.exeattached TT PDF.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1388schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    attached TT PDF.exe

    Reported IOCs

    pidprocess
    1112attached TT PDF.exe
    1112attached TT PDF.exe
  • Suspicious use of AdjustPrivilegeToken
    attached TT PDF.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1112attached TT PDF.exe
  • Suspicious use of WriteProcessMemory
    attached TT PDF.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2004 wrote to memory of 13882004attached TT PDF.exeschtasks.exe
    PID 2004 wrote to memory of 13882004attached TT PDF.exeschtasks.exe
    PID 2004 wrote to memory of 13882004attached TT PDF.exeschtasks.exe
    PID 2004 wrote to memory of 13882004attached TT PDF.exeschtasks.exe
    PID 2004 wrote to memory of 11122004attached TT PDF.exeattached TT PDF.exe
    PID 2004 wrote to memory of 11122004attached TT PDF.exeattached TT PDF.exe
    PID 2004 wrote to memory of 11122004attached TT PDF.exeattached TT PDF.exe
    PID 2004 wrote to memory of 11122004attached TT PDF.exeattached TT PDF.exe
    PID 2004 wrote to memory of 11122004attached TT PDF.exeattached TT PDF.exe
    PID 2004 wrote to memory of 11122004attached TT PDF.exeattached TT PDF.exe
    PID 2004 wrote to memory of 11122004attached TT PDF.exeattached TT PDF.exe
    PID 2004 wrote to memory of 11122004attached TT PDF.exeattached TT PDF.exe
    PID 2004 wrote to memory of 11122004attached TT PDF.exeattached TT PDF.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VzKaRFUJOv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF392.tmp"
      Creates scheduled task(s)
      PID:1388
    • C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1112
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\tmpF392.tmp

                        MD5

                        7cd71f127387467ade05da833cd78950

                        SHA1

                        f3cad96de7c396d8bdfdccf710239243f5462ea0

                        SHA256

                        7fc96abcd8210ac9964a465da1a1a5338ee8eccd13c356ecb8303b29301859a2

                        SHA512

                        10da59b1de0eb6fc7eac678e6cbb8992c73759b8f2f14ffb1ac37894165d5a79387e6e50e244469b2ec227660e5d05cc7a6bfbd74d58cdd9ca74d2ee964fb02d

                      • memory/1112-69-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1112-70-0x000000000043766E-mapping.dmp

                      • memory/1112-71-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1112-73-0x0000000004A20000-0x0000000004A21000-memory.dmp

                      • memory/1388-67-0x0000000000000000-mapping.dmp

                      • memory/2004-60-0x00000000002C0000-0x00000000002C1000-memory.dmp

                      • memory/2004-62-0x0000000002100000-0x00000000021BB000-memory.dmp

                      • memory/2004-63-0x0000000004B10000-0x0000000004B11000-memory.dmp

                      • memory/2004-64-0x0000000000240000-0x000000000025B000-memory.dmp

                      • memory/2004-65-0x0000000004B50000-0x0000000004BD3000-memory.dmp

                      • memory/2004-66-0x0000000000790000-0x00000000007CE000-memory.dmp