Analysis
-
max time kernel
126s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 15:04
Static task
static1
Behavioral task
behavioral1
Sample
fda.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
fda.exe
Resource
win10v20210410
General
-
Target
fda.exe
-
Size
840KB
-
MD5
8222e7bd5783b30d0a64b6f9e1aec2ab
-
SHA1
f8a8ba5d2dcffffe488c345134e324c97652d000
-
SHA256
d19edc2ae1e9d8c99b477c45960499e400afaad377a85475af9eebfc752cecd0
-
SHA512
e48b583915e4102173de672435af083ede63979030358dc60976f418ea0f860621c9d618733f694c8fd6e1bba6f8406ce587db4548262e0cac98e9cef67ed56a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
faithkingsley@vivaldi.net - Password:
kingsofkings123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3812-126-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3812-127-0x000000000043782E-mapping.dmp family_agenttesla behavioral2/memory/3812-132-0x00000000051E0000-0x00000000056DE000-memory.dmp family_agenttesla behavioral2/memory/3812-137-0x00000000051E0000-0x00000000056DE000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLxES = "C:\\Users\\Admin\\AppData\\Roaming\\DLxES\\DLxES.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fda.exedescription pid process target process PID 2256 set thread context of 3812 2256 fda.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
fda.exeRegSvcs.exepid process 2256 fda.exe 3812 RegSvcs.exe 3812 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fda.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2256 fda.exe Token: SeDebugPrivilege 3812 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3812 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
fda.exedescription pid process target process PID 2256 wrote to memory of 3968 2256 fda.exe schtasks.exe PID 2256 wrote to memory of 3968 2256 fda.exe schtasks.exe PID 2256 wrote to memory of 3968 2256 fda.exe schtasks.exe PID 2256 wrote to memory of 3812 2256 fda.exe RegSvcs.exe PID 2256 wrote to memory of 3812 2256 fda.exe RegSvcs.exe PID 2256 wrote to memory of 3812 2256 fda.exe RegSvcs.exe PID 2256 wrote to memory of 3812 2256 fda.exe RegSvcs.exe PID 2256 wrote to memory of 3812 2256 fda.exe RegSvcs.exe PID 2256 wrote to memory of 3812 2256 fda.exe RegSvcs.exe PID 2256 wrote to memory of 3812 2256 fda.exe RegSvcs.exe PID 2256 wrote to memory of 3812 2256 fda.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fda.exe"C:\Users\Admin\AppData\Local\Temp\fda.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KDJpNdSGbsgn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFFC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAFFC.tmpMD5
ce17912e14fff31eaba8136a0ebd1012
SHA15ed91730c2dd321ea7fa2fc4f93fe2b1e2c5e463
SHA256b40f6c8a21db98d8b88f659b45e45a4a99e73c1c467bf76956cb69f4361df8c1
SHA512a9d59719d452c714b99c85e8b6e0216862328d8c8383fcb75bef13d0ef85457027ef90084b8b265471c8dea8ccad9e5c9d6679a50391a3f3a7c21d0d1b76d1a8
-
memory/2256-123-0x000000000A1F0000-0x000000000A24A000-memory.dmpFilesize
360KB
-
memory/2256-116-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/2256-118-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/2256-119-0x0000000005420000-0x000000000591E000-memory.dmpFilesize
5.0MB
-
memory/2256-114-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/2256-121-0x00000000074C0000-0x00000000074C1000-memory.dmpFilesize
4KB
-
memory/2256-117-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/2256-122-0x0000000007B30000-0x0000000007BCF000-memory.dmpFilesize
636KB
-
memory/2256-120-0x00000000056D0000-0x00000000056D2000-memory.dmpFilesize
8KB
-
memory/3812-126-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3812-127-0x000000000043782E-mapping.dmp
-
memory/3812-132-0x00000000051E0000-0x00000000056DE000-memory.dmpFilesize
5.0MB
-
memory/3812-133-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/3812-134-0x0000000005D40000-0x0000000005D41000-memory.dmpFilesize
4KB
-
memory/3812-137-0x00000000051E0000-0x00000000056DE000-memory.dmpFilesize
5.0MB
-
memory/3968-124-0x0000000000000000-mapping.dmp