attached TT PDF.exe

General
Target

attached TT PDF.exe

Filesize

789KB

Completed

27-07-2021 16:10

Score
10 /10
MD5

891f97173c0a90ed3d336e303908b38a

SHA1

49a4e10a12d5aec836cc2b1cfcfce3784446929b

SHA256

2f25825c264a731f59bdee108cdd8fdf062501404952294c7fdbd4e46d4ccc7e

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.esquiresweaters.com

Port: 587

Username: imam@esquiresweaters.com

Password: Esquire@#2078

Signatures 8

Filter: none

Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3180-127-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/3180-128-0x000000000043766E-mapping.dmpfamily_agenttesla
    behavioral2/memory/3180-134-0x00000000054D0000-0x00000000059CE000-memory.dmpfamily_agenttesla
  • Suspicious use of SetThreadContext
    attached TT PDF.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 508 set thread context of 3180508attached TT PDF.exeattached TT PDF.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    3744schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    attached TT PDF.exeattached TT PDF.exe

    Reported IOCs

    pidprocess
    508attached TT PDF.exe
    508attached TT PDF.exe
    508attached TT PDF.exe
    3180attached TT PDF.exe
    3180attached TT PDF.exe
  • Suspicious use of AdjustPrivilegeToken
    attached TT PDF.exeattached TT PDF.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege508attached TT PDF.exe
    Token: SeDebugPrivilege3180attached TT PDF.exe
  • Suspicious use of WriteProcessMemory
    attached TT PDF.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 508 wrote to memory of 3744508attached TT PDF.exeschtasks.exe
    PID 508 wrote to memory of 3744508attached TT PDF.exeschtasks.exe
    PID 508 wrote to memory of 3744508attached TT PDF.exeschtasks.exe
    PID 508 wrote to memory of 2132508attached TT PDF.exeattached TT PDF.exe
    PID 508 wrote to memory of 2132508attached TT PDF.exeattached TT PDF.exe
    PID 508 wrote to memory of 2132508attached TT PDF.exeattached TT PDF.exe
    PID 508 wrote to memory of 3180508attached TT PDF.exeattached TT PDF.exe
    PID 508 wrote to memory of 3180508attached TT PDF.exeattached TT PDF.exe
    PID 508 wrote to memory of 3180508attached TT PDF.exeattached TT PDF.exe
    PID 508 wrote to memory of 3180508attached TT PDF.exeattached TT PDF.exe
    PID 508 wrote to memory of 3180508attached TT PDF.exeattached TT PDF.exe
    PID 508 wrote to memory of 3180508attached TT PDF.exeattached TT PDF.exe
    PID 508 wrote to memory of 3180508attached TT PDF.exeattached TT PDF.exe
    PID 508 wrote to memory of 3180508attached TT PDF.exeattached TT PDF.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VzKaRFUJOv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B59.tmp"
      Creates scheduled task(s)
      PID:3744
    • C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"
      PID:2132
    • C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\attached TT PDF.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3180
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\attached TT PDF.exe.log

                        MD5

                        c3cc52ccca9ff2b6fa8d267fc350ca6b

                        SHA1

                        a68d4028333296d222e4afd75dea36fdc98d05f3

                        SHA256

                        3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

                        SHA512

                        b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

                      • C:\Users\Admin\AppData\Local\Temp\tmp1B59.tmp

                        MD5

                        e418da51cfc664739cff2aeaedce429e

                        SHA1

                        4cd76af0b9a9aa492dfb0559bf290e162945d65e

                        SHA256

                        2231e4c37f8775a54ee6e9016b9ab72e370196a95f482df8574f808fc494401c

                        SHA512

                        d8b1248cded0fedc43afabb87e06c0fa47d9099ea371e88b42c9ffe643d9fb9619a7f44bf40e59da1625b0512df4f213699953fa2f334247d79bd61452243733

                      • memory/508-116-0x0000000005190000-0x000000000524B000-memory.dmp

                      • memory/508-117-0x000000000AC50000-0x000000000AC51000-memory.dmp

                      • memory/508-118-0x000000000A750000-0x000000000A751000-memory.dmp

                      • memory/508-120-0x00000000053C0000-0x00000000053C1000-memory.dmp

                      • memory/508-121-0x0000000004D30000-0x0000000004D31000-memory.dmp

                      • memory/508-122-0x00000000053E0000-0x00000000053FB000-memory.dmp

                      • memory/508-123-0x0000000001220000-0x00000000012A3000-memory.dmp

                      • memory/508-124-0x00000000012B0000-0x00000000012EE000-memory.dmp

                      • memory/508-119-0x000000000A890000-0x000000000A891000-memory.dmp

                      • memory/508-114-0x0000000000920000-0x0000000000921000-memory.dmp

                      • memory/3180-127-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/3180-128-0x000000000043766E-mapping.dmp

                      • memory/3180-134-0x00000000054D0000-0x00000000059CE000-memory.dmp

                      • memory/3180-135-0x0000000005950000-0x0000000005951000-memory.dmp

                      • memory/3180-136-0x0000000006230000-0x0000000006231000-memory.dmp

                      • memory/3744-125-0x0000000000000000-mapping.dmp