Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06/08/2021, 13:45
Static task
static1
Behavioral task
behavioral1
Sample
BL#TELEX-SHIPMENT-POC76120.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
BL#TELEX-SHIPMENT-POC76120.exe
Resource
win10v20210408
General
-
Target
BL#TELEX-SHIPMENT-POC76120.exe
-
Size
838KB
-
MD5
79076256e795c9399e830f1e4f0fe221
-
SHA1
6bc1068223a0238b595bc6b9e145be9aaafea085
-
SHA256
bd0328f6be16f7c73f39a16739960a069d4812943cfbc93000bbe2a3eed45039
-
SHA512
3e056a19d0b3bd3227318f635a48ab9d7a1b1373f689a3d4be1b64e19815602209571618ebdc386f5fe072f00706fe17d48598b725f3e28a89b993d98326111a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.themainreport.co.nz - Port:
587 - Username:
[email protected] - Password:
-I;MGhTyL{AQ
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
resource yara_rule behavioral1/memory/240-77-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/240-79-0x000000000043782E-mapping.dmp family_agenttesla behavioral1/memory/240-80-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1648 apwxc.exe -
Loads dropped DLL 1 IoCs
pid Process 240 BL#TELEX-SHIPMENT-POC76120.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\FsYYqg = "C:\\Users\\Admin\\AppData\\Roaming\\FsYYqg\\FsYYqg.exe" BL#TELEX-SHIPMENT-POC76120.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1036 set thread context of 240 1036 BL#TELEX-SHIPMENT-POC76120.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 972 schtasks.exe 396 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1148 powershell.exe 596 powershell.exe 1036 BL#TELEX-SHIPMENT-POC76120.exe 1036 BL#TELEX-SHIPMENT-POC76120.exe 1036 BL#TELEX-SHIPMENT-POC76120.exe 240 BL#TELEX-SHIPMENT-POC76120.exe 240 BL#TELEX-SHIPMENT-POC76120.exe 836 powershell.exe 836 powershell.exe 1148 powershell.exe 596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 596 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 1036 BL#TELEX-SHIPMENT-POC76120.exe Token: SeDebugPrivilege 240 BL#TELEX-SHIPMENT-POC76120.exe Token: SeDebugPrivilege 836 powershell.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1036 wrote to memory of 596 1036 BL#TELEX-SHIPMENT-POC76120.exe 29 PID 1036 wrote to memory of 596 1036 BL#TELEX-SHIPMENT-POC76120.exe 29 PID 1036 wrote to memory of 596 1036 BL#TELEX-SHIPMENT-POC76120.exe 29 PID 1036 wrote to memory of 596 1036 BL#TELEX-SHIPMENT-POC76120.exe 29 PID 1036 wrote to memory of 1148 1036 BL#TELEX-SHIPMENT-POC76120.exe 31 PID 1036 wrote to memory of 1148 1036 BL#TELEX-SHIPMENT-POC76120.exe 31 PID 1036 wrote to memory of 1148 1036 BL#TELEX-SHIPMENT-POC76120.exe 31 PID 1036 wrote to memory of 1148 1036 BL#TELEX-SHIPMENT-POC76120.exe 31 PID 1036 wrote to memory of 972 1036 BL#TELEX-SHIPMENT-POC76120.exe 33 PID 1036 wrote to memory of 972 1036 BL#TELEX-SHIPMENT-POC76120.exe 33 PID 1036 wrote to memory of 972 1036 BL#TELEX-SHIPMENT-POC76120.exe 33 PID 1036 wrote to memory of 972 1036 BL#TELEX-SHIPMENT-POC76120.exe 33 PID 1036 wrote to memory of 836 1036 BL#TELEX-SHIPMENT-POC76120.exe 35 PID 1036 wrote to memory of 836 1036 BL#TELEX-SHIPMENT-POC76120.exe 35 PID 1036 wrote to memory of 836 1036 BL#TELEX-SHIPMENT-POC76120.exe 35 PID 1036 wrote to memory of 836 1036 BL#TELEX-SHIPMENT-POC76120.exe 35 PID 1036 wrote to memory of 928 1036 BL#TELEX-SHIPMENT-POC76120.exe 37 PID 1036 wrote to memory of 928 1036 BL#TELEX-SHIPMENT-POC76120.exe 37 PID 1036 wrote to memory of 928 1036 BL#TELEX-SHIPMENT-POC76120.exe 37 PID 1036 wrote to memory of 928 1036 BL#TELEX-SHIPMENT-POC76120.exe 37 PID 1036 wrote to memory of 240 1036 BL#TELEX-SHIPMENT-POC76120.exe 38 PID 1036 wrote to memory of 240 1036 BL#TELEX-SHIPMENT-POC76120.exe 38 PID 1036 wrote to memory of 240 1036 BL#TELEX-SHIPMENT-POC76120.exe 38 PID 1036 wrote to memory of 240 1036 BL#TELEX-SHIPMENT-POC76120.exe 38 PID 1036 wrote to memory of 240 1036 BL#TELEX-SHIPMENT-POC76120.exe 38 PID 1036 wrote to memory of 240 1036 BL#TELEX-SHIPMENT-POC76120.exe 38 PID 1036 wrote to memory of 240 1036 BL#TELEX-SHIPMENT-POC76120.exe 38 PID 1036 wrote to memory of 240 1036 BL#TELEX-SHIPMENT-POC76120.exe 38 PID 1036 wrote to memory of 240 1036 BL#TELEX-SHIPMENT-POC76120.exe 38 PID 240 wrote to memory of 1648 240 BL#TELEX-SHIPMENT-POC76120.exe 40 PID 240 wrote to memory of 1648 240 BL#TELEX-SHIPMENT-POC76120.exe 40 PID 240 wrote to memory of 1648 240 BL#TELEX-SHIPMENT-POC76120.exe 40 PID 240 wrote to memory of 1648 240 BL#TELEX-SHIPMENT-POC76120.exe 40 PID 1648 wrote to memory of 332 1648 apwxc.exe 41 PID 1648 wrote to memory of 332 1648 apwxc.exe 41 PID 1648 wrote to memory of 332 1648 apwxc.exe 41 PID 1648 wrote to memory of 332 1648 apwxc.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\apZSuwq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32B4.tmp"2⤵
- Creates scheduled task(s)
PID:972
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"2⤵PID:928
-
-
C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Users\Admin\AppData\Local\Temp\apwxc.exe"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\apwxc.exe"4⤵PID:332
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"4⤵PID:1056
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp"4⤵
- Creates scheduled task(s)
PID:396
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"4⤵PID:388
-
-
C:\Users\Admin\AppData\Local\Temp\apwxc.exe"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"4⤵PID:596
-
-
-