Analysis
-
max time kernel
96s -
max time network
62s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 16:26
Static task
static1
Behavioral task
behavioral1
Sample
c277827a2afe5d23f11448d75291342c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c277827a2afe5d23f11448d75291342c.exe
Resource
win10v20210408
General
-
Target
c277827a2afe5d23f11448d75291342c.exe
-
Size
513KB
-
MD5
c277827a2afe5d23f11448d75291342c
-
SHA1
84528fcebd7c5dd3b118dad30bbb3ee30566f98e
-
SHA256
be98f101070d1ef350f5d1768e640f5f23b047f890fde74495e49b9f6fa4d00b
-
SHA512
eadd268f6e0932fcb70be92a55d7af04811943c655ea9abb464f6358fe36f7f34b38d2ee29ec2a36c890987cdbc1f1b694d358f488b1d274d64f3924d957e156
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1805574870:AAHXBVpTNJET3oRosoa2brFL9_G19NkXu8I/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/744-71-0x000000000043773E-mapping.dmp family_agenttesla behavioral1/memory/744-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/744-72-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c277827a2afe5d23f11448d75291342c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\service.exe = "C:\\Users\\Admin\\AppData\\Roaming\\service.exe\\service.exe.exe" c277827a2afe5d23f11448d75291342c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c277827a2afe5d23f11448d75291342c.exedescription pid process target process PID 1060 set thread context of 744 1060 c277827a2afe5d23f11448d75291342c.exe c277827a2afe5d23f11448d75291342c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exepid process 1060 c277827a2afe5d23f11448d75291342c.exe 1060 c277827a2afe5d23f11448d75291342c.exe 744 c277827a2afe5d23f11448d75291342c.exe 744 c277827a2afe5d23f11448d75291342c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exedescription pid process Token: SeDebugPrivilege 1060 c277827a2afe5d23f11448d75291342c.exe Token: SeDebugPrivilege 744 c277827a2afe5d23f11448d75291342c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c277827a2afe5d23f11448d75291342c.exedescription pid process target process PID 1060 wrote to memory of 744 1060 c277827a2afe5d23f11448d75291342c.exe c277827a2afe5d23f11448d75291342c.exe PID 1060 wrote to memory of 744 1060 c277827a2afe5d23f11448d75291342c.exe c277827a2afe5d23f11448d75291342c.exe PID 1060 wrote to memory of 744 1060 c277827a2afe5d23f11448d75291342c.exe c277827a2afe5d23f11448d75291342c.exe PID 1060 wrote to memory of 744 1060 c277827a2afe5d23f11448d75291342c.exe c277827a2afe5d23f11448d75291342c.exe PID 1060 wrote to memory of 744 1060 c277827a2afe5d23f11448d75291342c.exe c277827a2afe5d23f11448d75291342c.exe PID 1060 wrote to memory of 744 1060 c277827a2afe5d23f11448d75291342c.exe c277827a2afe5d23f11448d75291342c.exe PID 1060 wrote to memory of 744 1060 c277827a2afe5d23f11448d75291342c.exe c277827a2afe5d23f11448d75291342c.exe PID 1060 wrote to memory of 744 1060 c277827a2afe5d23f11448d75291342c.exe c277827a2afe5d23f11448d75291342c.exe PID 1060 wrote to memory of 744 1060 c277827a2afe5d23f11448d75291342c.exe c277827a2afe5d23f11448d75291342c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c277827a2afe5d23f11448d75291342c.exe"C:\Users\Admin\AppData\Local\Temp\c277827a2afe5d23f11448d75291342c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c277827a2afe5d23f11448d75291342c.exeC:\Users\Admin\AppData\Local\Temp\c277827a2afe5d23f11448d75291342c.exe2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/744-71-0x000000000043773E-mapping.dmp
-
memory/744-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/744-72-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/744-74-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/1060-59-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/1060-61-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/1060-62-0x0000000004B91000-0x0000000004B92000-memory.dmpFilesize
4KB
-
memory/1060-63-0x0000000004B96000-0x0000000004BA7000-memory.dmpFilesize
68KB
-
memory/1060-64-0x0000000002020000-0x0000000002079000-memory.dmpFilesize
356KB
-
memory/1060-69-0x0000000007D30000-0x0000000007DA5000-memory.dmpFilesize
468KB