Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06/08/2021, 13:45
Static task
static1
Behavioral task
behavioral1
Sample
BL#TELEX-SHIPMENT-POC76120.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
BL#TELEX-SHIPMENT-POC76120.exe
Resource
win10v20210408
General
-
Target
BL#TELEX-SHIPMENT-POC76120.exe
-
Size
838KB
-
MD5
79076256e795c9399e830f1e4f0fe221
-
SHA1
6bc1068223a0238b595bc6b9e145be9aaafea085
-
SHA256
bd0328f6be16f7c73f39a16739960a069d4812943cfbc93000bbe2a3eed45039
-
SHA512
3e056a19d0b3bd3227318f635a48ab9d7a1b1373f689a3d4be1b64e19815602209571618ebdc386f5fe072f00706fe17d48598b725f3e28a89b993d98326111a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.themainreport.co.nz - Port:
587 - Username:
[email protected] - Password:
-I;MGhTyL{AQ
Extracted
oski
fine.le-pearl.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
AgentTesla Payload 3 IoCs
resource yara_rule behavioral2/memory/3932-141-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3932-142-0x000000000043782E-mapping.dmp family_agenttesla behavioral2/memory/3932-154-0x00000000053B0000-0x00000000058AE000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3016 apwxc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\FsYYqg = "C:\\Users\\Admin\\AppData\\Roaming\\FsYYqg\\FsYYqg.exe" BL#TELEX-SHIPMENT-POC76120.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 664 set thread context of 3932 664 BL#TELEX-SHIPMENT-POC76120.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2112 schtasks.exe 1708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 664 BL#TELEX-SHIPMENT-POC76120.exe 3932 BL#TELEX-SHIPMENT-POC76120.exe 3932 BL#TELEX-SHIPMENT-POC76120.exe 2088 powershell.exe 3848 powershell.exe 1820 powershell.exe 3848 powershell.exe 1820 powershell.exe 2088 powershell.exe 3848 powershell.exe 1820 powershell.exe 2088 powershell.exe 2540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 664 BL#TELEX-SHIPMENT-POC76120.exe Token: SeDebugPrivilege 3932 BL#TELEX-SHIPMENT-POC76120.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 664 wrote to memory of 1820 664 BL#TELEX-SHIPMENT-POC76120.exe 78 PID 664 wrote to memory of 1820 664 BL#TELEX-SHIPMENT-POC76120.exe 78 PID 664 wrote to memory of 1820 664 BL#TELEX-SHIPMENT-POC76120.exe 78 PID 664 wrote to memory of 2088 664 BL#TELEX-SHIPMENT-POC76120.exe 80 PID 664 wrote to memory of 2088 664 BL#TELEX-SHIPMENT-POC76120.exe 80 PID 664 wrote to memory of 2088 664 BL#TELEX-SHIPMENT-POC76120.exe 80 PID 664 wrote to memory of 2112 664 BL#TELEX-SHIPMENT-POC76120.exe 82 PID 664 wrote to memory of 2112 664 BL#TELEX-SHIPMENT-POC76120.exe 82 PID 664 wrote to memory of 2112 664 BL#TELEX-SHIPMENT-POC76120.exe 82 PID 664 wrote to memory of 3848 664 BL#TELEX-SHIPMENT-POC76120.exe 84 PID 664 wrote to memory of 3848 664 BL#TELEX-SHIPMENT-POC76120.exe 84 PID 664 wrote to memory of 3848 664 BL#TELEX-SHIPMENT-POC76120.exe 84 PID 664 wrote to memory of 3932 664 BL#TELEX-SHIPMENT-POC76120.exe 85 PID 664 wrote to memory of 3932 664 BL#TELEX-SHIPMENT-POC76120.exe 85 PID 664 wrote to memory of 3932 664 BL#TELEX-SHIPMENT-POC76120.exe 85 PID 664 wrote to memory of 3932 664 BL#TELEX-SHIPMENT-POC76120.exe 85 PID 664 wrote to memory of 3932 664 BL#TELEX-SHIPMENT-POC76120.exe 85 PID 664 wrote to memory of 3932 664 BL#TELEX-SHIPMENT-POC76120.exe 85 PID 664 wrote to memory of 3932 664 BL#TELEX-SHIPMENT-POC76120.exe 85 PID 664 wrote to memory of 3932 664 BL#TELEX-SHIPMENT-POC76120.exe 85 PID 3932 wrote to memory of 3016 3932 BL#TELEX-SHIPMENT-POC76120.exe 88 PID 3932 wrote to memory of 3016 3932 BL#TELEX-SHIPMENT-POC76120.exe 88 PID 3932 wrote to memory of 3016 3932 BL#TELEX-SHIPMENT-POC76120.exe 88 PID 3016 wrote to memory of 2540 3016 apwxc.exe 89 PID 3016 wrote to memory of 2540 3016 apwxc.exe 89 PID 3016 wrote to memory of 2540 3016 apwxc.exe 89 PID 3016 wrote to memory of 1280 3016 apwxc.exe 91 PID 3016 wrote to memory of 1280 3016 apwxc.exe 91 PID 3016 wrote to memory of 1280 3016 apwxc.exe 91 PID 3016 wrote to memory of 1708 3016 apwxc.exe 93 PID 3016 wrote to memory of 1708 3016 apwxc.exe 93 PID 3016 wrote to memory of 1708 3016 apwxc.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\apZSuwq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AD7.tmp"2⤵
- Creates scheduled task(s)
PID:2112
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
-
C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\apwxc.exe"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\apwxc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"4⤵PID:1280
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF62.tmp"4⤵
- Creates scheduled task(s)
PID:1708
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"4⤵PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\apwxc.exe"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"4⤵PID:2940
-
-
-