Analysis
-
max time kernel
112s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 16:08
Static task
static1
Behavioral task
behavioral1
Sample
attached TT PDF.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
attached TT PDF.exe
Resource
win10v20210410
General
-
Target
attached TT PDF.exe
-
Size
789KB
-
MD5
891f97173c0a90ed3d336e303908b38a
-
SHA1
49a4e10a12d5aec836cc2b1cfcfce3784446929b
-
SHA256
2f25825c264a731f59bdee108cdd8fdf062501404952294c7fdbd4e46d4ccc7e
-
SHA512
b5c3168d1ded6eeee2b364f9d0aa3e45f60c630d353d6d1178f84e784783def83ed9512069fdb04821150cb04344f0b2e17088033ecddb15709615bca947eed3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.esquiresweaters.com - Port:
587 - Username:
imam@esquiresweaters.com - Password:
Esquire@#2078
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3180-127-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3180-128-0x000000000043766E-mapping.dmp family_agenttesla behavioral2/memory/3180-134-0x00000000054D0000-0x00000000059CE000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
attached TT PDF.exedescription pid process target process PID 508 set thread context of 3180 508 attached TT PDF.exe attached TT PDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
attached TT PDF.exeattached TT PDF.exepid process 508 attached TT PDF.exe 508 attached TT PDF.exe 508 attached TT PDF.exe 3180 attached TT PDF.exe 3180 attached TT PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
attached TT PDF.exeattached TT PDF.exedescription pid process Token: SeDebugPrivilege 508 attached TT PDF.exe Token: SeDebugPrivilege 3180 attached TT PDF.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
attached TT PDF.exedescription pid process target process PID 508 wrote to memory of 3744 508 attached TT PDF.exe schtasks.exe PID 508 wrote to memory of 3744 508 attached TT PDF.exe schtasks.exe PID 508 wrote to memory of 3744 508 attached TT PDF.exe schtasks.exe PID 508 wrote to memory of 2132 508 attached TT PDF.exe attached TT PDF.exe PID 508 wrote to memory of 2132 508 attached TT PDF.exe attached TT PDF.exe PID 508 wrote to memory of 2132 508 attached TT PDF.exe attached TT PDF.exe PID 508 wrote to memory of 3180 508 attached TT PDF.exe attached TT PDF.exe PID 508 wrote to memory of 3180 508 attached TT PDF.exe attached TT PDF.exe PID 508 wrote to memory of 3180 508 attached TT PDF.exe attached TT PDF.exe PID 508 wrote to memory of 3180 508 attached TT PDF.exe attached TT PDF.exe PID 508 wrote to memory of 3180 508 attached TT PDF.exe attached TT PDF.exe PID 508 wrote to memory of 3180 508 attached TT PDF.exe attached TT PDF.exe PID 508 wrote to memory of 3180 508 attached TT PDF.exe attached TT PDF.exe PID 508 wrote to memory of 3180 508 attached TT PDF.exe attached TT PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VzKaRFUJOv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B59.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\attached TT PDF.exe.logMD5
c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
C:\Users\Admin\AppData\Local\Temp\tmp1B59.tmpMD5
e418da51cfc664739cff2aeaedce429e
SHA14cd76af0b9a9aa492dfb0559bf290e162945d65e
SHA2562231e4c37f8775a54ee6e9016b9ab72e370196a95f482df8574f808fc494401c
SHA512d8b1248cded0fedc43afabb87e06c0fa47d9099ea371e88b42c9ffe643d9fb9619a7f44bf40e59da1625b0512df4f213699953fa2f334247d79bd61452243733
-
memory/508-123-0x0000000001220000-0x00000000012A3000-memory.dmpFilesize
524KB
-
memory/508-124-0x00000000012B0000-0x00000000012EE000-memory.dmpFilesize
248KB
-
memory/508-119-0x000000000A890000-0x000000000A891000-memory.dmpFilesize
4KB
-
memory/508-120-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/508-121-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/508-122-0x00000000053E0000-0x00000000053FB000-memory.dmpFilesize
108KB
-
memory/508-114-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/508-118-0x000000000A750000-0x000000000A751000-memory.dmpFilesize
4KB
-
memory/508-116-0x0000000005190000-0x000000000524B000-memory.dmpFilesize
748KB
-
memory/508-117-0x000000000AC50000-0x000000000AC51000-memory.dmpFilesize
4KB
-
memory/3180-127-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3180-128-0x000000000043766E-mapping.dmp
-
memory/3180-134-0x00000000054D0000-0x00000000059CE000-memory.dmpFilesize
5.0MB
-
memory/3180-135-0x0000000005950000-0x0000000005951000-memory.dmpFilesize
4KB
-
memory/3180-136-0x0000000006230000-0x0000000006231000-memory.dmpFilesize
4KB
-
memory/3744-125-0x0000000000000000-mapping.dmp