Analysis
-
max time kernel
122s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 19:38
Static task
static1
Behavioral task
behavioral1
Sample
#$$$!1weF5(1).exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
#$$$!1weF5(1).exe
Resource
win10v20210408
General
-
Target
#$$$!1weF5(1).exe
-
Size
662KB
-
MD5
65c520abdacd8aacdb7f93ed7b00d716
-
SHA1
c5ca68ab7ce2e46e0b924acb0365af5f4935847d
-
SHA256
b47c11b0e48a16e4e1d861dcb524bf3bcabfe1481853b7d94fb738f635d1d5aa
-
SHA512
f369b973656103610c08a054ae50a3ddcccc9aa64acfc9fec9d6e06b5f6cd3d5e3ca2d7b62eda5838452efd0bed8f25f8a9cb9fe430c9ec39749181e24be93ed
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2296-201-0x000000000043773E-mapping.dmp family_agenttesla behavioral2/memory/2296-200-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2296-207-0x0000000005670000-0x0000000005B6E000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
#$$$!1weF5(1).exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\service.exe = "C:\\Users\\Admin\\AppData\\Roaming\\service.exe\\service.exe.exe" #$$$!1weF5(1).exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
#$$$!1weF5(1).exedescription pid process target process PID 564 set thread context of 2296 564 #$$$!1weF5(1).exe #$$$!1weF5(1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 1148 PING.EXE 3596 PING.EXE 2408 PING.EXE 200 PING.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe#$$$!1weF5(1).exe#$$$!1weF5(1).exepid process 1180 powershell.exe 1180 powershell.exe 1180 powershell.exe 3848 powershell.exe 3848 powershell.exe 3848 powershell.exe 2240 powershell.exe 2240 powershell.exe 2240 powershell.exe 3960 powershell.exe 3960 powershell.exe 3960 powershell.exe 564 #$$$!1weF5(1).exe 564 #$$$!1weF5(1).exe 2296 #$$$!1weF5(1).exe 2296 #$$$!1weF5(1).exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe#$$$!1weF5(1).exe#$$$!1weF5(1).exedescription pid process Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 564 #$$$!1weF5(1).exe Token: SeDebugPrivilege 2296 #$$$!1weF5(1).exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
#$$$!1weF5(1).exepid process 2296 #$$$!1weF5(1).exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
#$$$!1weF5(1).exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 564 wrote to memory of 1180 564 #$$$!1weF5(1).exe powershell.exe PID 564 wrote to memory of 1180 564 #$$$!1weF5(1).exe powershell.exe PID 564 wrote to memory of 1180 564 #$$$!1weF5(1).exe powershell.exe PID 1180 wrote to memory of 1148 1180 powershell.exe PING.EXE PID 1180 wrote to memory of 1148 1180 powershell.exe PING.EXE PID 1180 wrote to memory of 1148 1180 powershell.exe PING.EXE PID 564 wrote to memory of 3848 564 #$$$!1weF5(1).exe powershell.exe PID 564 wrote to memory of 3848 564 #$$$!1weF5(1).exe powershell.exe PID 564 wrote to memory of 3848 564 #$$$!1weF5(1).exe powershell.exe PID 3848 wrote to memory of 3596 3848 powershell.exe PING.EXE PID 3848 wrote to memory of 3596 3848 powershell.exe PING.EXE PID 3848 wrote to memory of 3596 3848 powershell.exe PING.EXE PID 564 wrote to memory of 2240 564 #$$$!1weF5(1).exe powershell.exe PID 564 wrote to memory of 2240 564 #$$$!1weF5(1).exe powershell.exe PID 564 wrote to memory of 2240 564 #$$$!1weF5(1).exe powershell.exe PID 2240 wrote to memory of 2408 2240 powershell.exe PING.EXE PID 2240 wrote to memory of 2408 2240 powershell.exe PING.EXE PID 2240 wrote to memory of 2408 2240 powershell.exe PING.EXE PID 564 wrote to memory of 3960 564 #$$$!1weF5(1).exe powershell.exe PID 564 wrote to memory of 3960 564 #$$$!1weF5(1).exe powershell.exe PID 564 wrote to memory of 3960 564 #$$$!1weF5(1).exe powershell.exe PID 3960 wrote to memory of 200 3960 powershell.exe PING.EXE PID 3960 wrote to memory of 200 3960 powershell.exe PING.EXE PID 3960 wrote to memory of 200 3960 powershell.exe PING.EXE PID 564 wrote to memory of 2296 564 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 564 wrote to memory of 2296 564 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 564 wrote to memory of 2296 564 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 564 wrote to memory of 2296 564 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 564 wrote to memory of 2296 564 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 564 wrote to memory of 2296 564 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 564 wrote to memory of 2296 564 #$$$!1weF5(1).exe #$$$!1weF5(1).exe PID 564 wrote to memory of 2296 564 #$$$!1weF5(1).exe #$$$!1weF5(1).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe"C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" gooogle.com3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exeC:\Users\Admin\AppData\Local\Temp\#$$$!1weF5(1).exe2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#$$$!1weF5(1).exe.logMD5
9e7845217df4a635ec4341c3d52ed685
SHA1d65cb39d37392975b038ce503a585adadb805da5
SHA256d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b
SHA512307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
0f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
cb29bb8becf862f3c6f49b32ac46ae52
SHA164a6304c20049740e1df9d0c01e31ea96ec5be2f
SHA256e5213677c082bcd30d85528a7cbb37bd01aca77ab655010c752ecc12943edc76
SHA51272fa338c19e2f7bcb878b829dbae5d9cc659482ffb156ac724f8015ebd1c4652b99eb41c14c3672e94767be778bac8be6a48fb94d79920656a62276b7b13f12d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
cb29bb8becf862f3c6f49b32ac46ae52
SHA164a6304c20049740e1df9d0c01e31ea96ec5be2f
SHA256e5213677c082bcd30d85528a7cbb37bd01aca77ab655010c752ecc12943edc76
SHA51272fa338c19e2f7bcb878b829dbae5d9cc659482ffb156ac724f8015ebd1c4652b99eb41c14c3672e94767be778bac8be6a48fb94d79920656a62276b7b13f12d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
12e1f6f5893b592f7ba6987536e95fa7
SHA19f1309d686fe8bbbcbc9d27488e2a4b30ad1f1e2
SHA256e987e39e274773b8e28b8c36706024ab1063489534e4e6d075c45d0a571b90a6
SHA512217106b519709f6130ed98160224ba6dfd07f3b651e05aa862c1edc995d41bf7a1ffbcb00cd591095f08014731fdbd92743e03f3d89b80052fd918929e8211aa
-
memory/200-193-0x0000000000000000-mapping.dmp
-
memory/564-120-0x00000000056A0000-0x0000000005B9E000-memory.dmpFilesize
4MB
-
memory/564-199-0x0000000009790000-0x00000000097FB000-memory.dmpFilesize
428KB
-
memory/564-194-0x0000000007210000-0x0000000007265000-memory.dmpFilesize
340KB
-
memory/564-119-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/564-118-0x00000000056A0000-0x0000000005B9E000-memory.dmpFilesize
4MB
-
memory/564-117-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/564-116-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/564-114-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/1148-135-0x0000000000000000-mapping.dmp
-
memory/1180-152-0x0000000006C84000-0x0000000006C86000-memory.dmpFilesize
8KB
-
memory/1180-126-0x0000000006C80000-0x0000000006C81000-memory.dmpFilesize
4KB
-
memory/1180-134-0x0000000007C40000-0x0000000007C41000-memory.dmpFilesize
4KB
-
memory/1180-132-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/1180-121-0x0000000000000000-mapping.dmp
-
memory/1180-124-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/1180-125-0x00000000072C0000-0x00000000072C1000-memory.dmpFilesize
4KB
-
memory/1180-151-0x0000000006C83000-0x0000000006C84000-memory.dmpFilesize
4KB
-
memory/1180-131-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/1180-133-0x0000000006EF0000-0x0000000006EF1000-memory.dmpFilesize
4KB
-
memory/1180-130-0x0000000006FD0000-0x0000000006FD1000-memory.dmpFilesize
4KB
-
memory/1180-129-0x0000000006F60000-0x0000000006F61000-memory.dmpFilesize
4KB
-
memory/1180-127-0x0000000006C82000-0x0000000006C83000-memory.dmpFilesize
4KB
-
memory/1180-128-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2240-177-0x0000000004874000-0x0000000004876000-memory.dmpFilesize
8KB
-
memory/2240-168-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/2240-169-0x0000000004872000-0x0000000004873000-memory.dmpFilesize
4KB
-
memory/2240-157-0x0000000000000000-mapping.dmp
-
memory/2240-176-0x0000000004873000-0x0000000004874000-memory.dmpFilesize
4KB
-
memory/2296-200-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2296-207-0x0000000005670000-0x0000000005B6E000-memory.dmpFilesize
4MB
-
memory/2296-211-0x0000000006360000-0x0000000006361000-memory.dmpFilesize
4KB
-
memory/2296-206-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/2296-201-0x000000000043773E-mapping.dmp
-
memory/2408-174-0x0000000000000000-mapping.dmp
-
memory/3596-153-0x0000000000000000-mapping.dmp
-
memory/3848-146-0x0000000003732000-0x0000000003733000-memory.dmpFilesize
4KB
-
memory/3848-145-0x0000000003730000-0x0000000003731000-memory.dmpFilesize
4KB
-
memory/3848-167-0x0000000003734000-0x0000000003736000-memory.dmpFilesize
8KB
-
memory/3848-136-0x0000000000000000-mapping.dmp
-
memory/3848-166-0x0000000003733000-0x0000000003734000-memory.dmpFilesize
4KB
-
memory/3960-191-0x0000000007242000-0x0000000007243000-memory.dmpFilesize
4KB
-
memory/3960-190-0x0000000007240000-0x0000000007241000-memory.dmpFilesize
4KB
-
memory/3960-210-0x0000000007244000-0x0000000007246000-memory.dmpFilesize
8KB
-
memory/3960-209-0x0000000007243000-0x0000000007244000-memory.dmpFilesize
4KB
-
memory/3960-178-0x0000000000000000-mapping.dmp