Analysis
-
max time kernel
122s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 07:12
Static task
static1
Behavioral task
behavioral1
Sample
PROFORME.EXE
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PROFORME.EXE
Resource
win10-en
General
-
Target
PROFORME.EXE
-
Size
1003KB
-
MD5
e06203fc38f6e1feeebbfda689a3c3ba
-
SHA1
eeeb9935a650e41711c99675f3f579610391b9b3
-
SHA256
c9fc6e398381a3152e36eec50f7157bde0a38462bd3345256487d9ab08eb6acc
-
SHA512
856f03489826a27e23961e35ada7e223b1f933522ed2c81a06685a3b6a328b1a71490c64d6981d72f1d64890ddf6d69f3ac4bd3b5e02e860a6fa697ad744941e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.outlook.com - Port:
587 - Username:
in23529@outlook.com - Password:
Godisgreat0803
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3188-128-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3188-129-0x000000000043759E-mapping.dmp family_agenttesla behavioral2/memory/3188-135-0x0000000004E50000-0x000000000534E000-memory.dmp family_agenttesla behavioral2/memory/3188-140-0x0000000004E50000-0x000000000534E000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PROFORME.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\oAgjb = "C:\\Users\\Admin\\AppData\\Roaming\\oAgjb\\oAgjb.exe" PROFORME.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFORME.EXEdescription pid process target process PID 4008 set thread context of 3188 4008 PROFORME.EXE PROFORME.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PROFORME.EXEpid process 3188 PROFORME.EXE 3188 PROFORME.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PROFORME.EXEdescription pid process Token: SeDebugPrivilege 3188 PROFORME.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PROFORME.EXEpid process 3188 PROFORME.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PROFORME.EXEdescription pid process target process PID 4008 wrote to memory of 2836 4008 PROFORME.EXE schtasks.exe PID 4008 wrote to memory of 2836 4008 PROFORME.EXE schtasks.exe PID 4008 wrote to memory of 2836 4008 PROFORME.EXE schtasks.exe PID 4008 wrote to memory of 3188 4008 PROFORME.EXE PROFORME.EXE PID 4008 wrote to memory of 3188 4008 PROFORME.EXE PROFORME.EXE PID 4008 wrote to memory of 3188 4008 PROFORME.EXE PROFORME.EXE PID 4008 wrote to memory of 3188 4008 PROFORME.EXE PROFORME.EXE PID 4008 wrote to memory of 3188 4008 PROFORME.EXE PROFORME.EXE PID 4008 wrote to memory of 3188 4008 PROFORME.EXE PROFORME.EXE PID 4008 wrote to memory of 3188 4008 PROFORME.EXE PROFORME.EXE PID 4008 wrote to memory of 3188 4008 PROFORME.EXE PROFORME.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORME.EXE"C:\Users\Admin\AppData\Local\Temp\PROFORME.EXE"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZljJsKVpgTQiX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E0D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PROFORME.EXE"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROFORME.EXE.logMD5
90acfd72f14a512712b1a7380c0faf60
SHA140ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA25620806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA51229dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9
-
C:\Users\Admin\AppData\Local\Temp\tmp8E0D.tmpMD5
7c05047f5e9b67eb16bcb9a9d9e38c9b
SHA13138418caa5edb88bdedc6a380d643e127fe5975
SHA25684e039070228106f7e91a1e2c6219cfd0101a6a4afe76f80fd5c19129cf19a15
SHA512b03b95a3b1d21e1df14c0ca4c6e1d838001ea688f14cd7db181922a928e74d3463c1ae8a4f76ae7ac894b49a3fa5c240fd13a68d7d32b33835749b762f8da510
-
memory/2836-126-0x0000000000000000-mapping.dmp
-
memory/3188-140-0x0000000004E50000-0x000000000534E000-memory.dmpFilesize
5.0MB
-
memory/3188-137-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/3188-136-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/3188-135-0x0000000004E50000-0x000000000534E000-memory.dmpFilesize
5.0MB
-
memory/3188-129-0x000000000043759E-mapping.dmp
-
memory/3188-128-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4008-120-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/4008-125-0x0000000008380000-0x00000000083BA000-memory.dmpFilesize
232KB
-
memory/4008-124-0x0000000008300000-0x0000000008377000-memory.dmpFilesize
476KB
-
memory/4008-123-0x00000000023D0000-0x00000000023DE000-memory.dmpFilesize
56KB
-
memory/4008-122-0x0000000004BF0000-0x00000000050EE000-memory.dmpFilesize
5.0MB
-
memory/4008-121-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/4008-115-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/4008-119-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/4008-118-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/4008-117-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB