Analysis
-
max time kernel
139s -
max time network
157s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-09-2021 06:54
Static task
static1
Behavioral task
behavioral1
Sample
PROFORME.EXE
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PROFORME.EXE
Resource
win10-en
General
-
Target
PROFORME.EXE
-
Size
1003KB
-
MD5
e06203fc38f6e1feeebbfda689a3c3ba
-
SHA1
eeeb9935a650e41711c99675f3f579610391b9b3
-
SHA256
c9fc6e398381a3152e36eec50f7157bde0a38462bd3345256487d9ab08eb6acc
-
SHA512
856f03489826a27e23961e35ada7e223b1f933522ed2c81a06685a3b6a328b1a71490c64d6981d72f1d64890ddf6d69f3ac4bd3b5e02e860a6fa697ad744941e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.outlook.com - Port:
587 - Username:
in23529@outlook.com - Password:
Godisgreat0803
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/328-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/328-69-0x000000000043759E-mapping.dmp family_agenttesla behavioral1/memory/328-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PROFORME.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\oAgjb = "C:\\Users\\Admin\\AppData\\Roaming\\oAgjb\\oAgjb.exe" PROFORME.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFORME.EXEdescription pid process target process PID 1920 set thread context of 328 1920 PROFORME.EXE PROFORME.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PROFORME.EXEpid process 328 PROFORME.EXE 328 PROFORME.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PROFORME.EXEdescription pid process Token: SeDebugPrivilege 328 PROFORME.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PROFORME.EXEpid process 328 PROFORME.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PROFORME.EXEdescription pid process target process PID 1920 wrote to memory of 696 1920 PROFORME.EXE schtasks.exe PID 1920 wrote to memory of 696 1920 PROFORME.EXE schtasks.exe PID 1920 wrote to memory of 696 1920 PROFORME.EXE schtasks.exe PID 1920 wrote to memory of 696 1920 PROFORME.EXE schtasks.exe PID 1920 wrote to memory of 328 1920 PROFORME.EXE PROFORME.EXE PID 1920 wrote to memory of 328 1920 PROFORME.EXE PROFORME.EXE PID 1920 wrote to memory of 328 1920 PROFORME.EXE PROFORME.EXE PID 1920 wrote to memory of 328 1920 PROFORME.EXE PROFORME.EXE PID 1920 wrote to memory of 328 1920 PROFORME.EXE PROFORME.EXE PID 1920 wrote to memory of 328 1920 PROFORME.EXE PROFORME.EXE PID 1920 wrote to memory of 328 1920 PROFORME.EXE PROFORME.EXE PID 1920 wrote to memory of 328 1920 PROFORME.EXE PROFORME.EXE PID 1920 wrote to memory of 328 1920 PROFORME.EXE PROFORME.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORME.EXE"C:\Users\Admin\AppData\Local\Temp\PROFORME.EXE"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZljJsKVpgTQiX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F94.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PROFORME.EXE"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6F94.tmpMD5
db56498b509efc846994c74f2845da1d
SHA1772152d0453ceb16b9f0906dfa602705d58555e9
SHA256a31e13b1d3589e277edecba0c01863d031696b780a24883cdd990351f9194c71
SHA5127aea2d6d49b81974b9161a906bdea902e70f2d6bde99b09e87161f8855f634bb24bcd9c3da95d799143bee0fee90ae57430a09060fc6bd851f65ac3e4b345b9b
-
memory/328-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/328-69-0x000000000043759E-mapping.dmp
-
memory/328-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/328-72-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/328-73-0x00000000044B1000-0x00000000044B2000-memory.dmpFilesize
4KB
-
memory/696-66-0x0000000000000000-mapping.dmp
-
memory/1920-60-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1920-62-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/1920-63-0x00000000005D0000-0x00000000005DE000-memory.dmpFilesize
56KB
-
memory/1920-64-0x0000000004F50000-0x0000000004FC7000-memory.dmpFilesize
476KB
-
memory/1920-65-0x0000000001F70000-0x0000000001FAA000-memory.dmpFilesize
232KB