Analysis
-
max time kernel
128s -
max time network
26s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 19:04
Static task
static1
Behavioral task
behavioral1
Sample
ACCOUNT FORM.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ACCOUNT FORM.exe
Resource
win10-en-20210920
General
-
Target
ACCOUNT FORM.exe
-
Size
1.7MB
-
MD5
bb06da848bdf0fb902bc05bfaa2deca3
-
SHA1
efd66a569fb1ea9cbba3c1160cb8a6975560e779
-
SHA256
123de48e610d4e6dacfb9722ccf5073154cd419537a7b60aa510d81e06e51404
-
SHA512
0f820c5e48eadc224cafc3d8d32df853b8041f69f378aa42d5c3f417e152f9af8807dfd0d57813cec75f54d9621edf11fc51c048bf32cbfcf634d93b5ca349a9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ozkengumruk.com.tr - Port:
587 - Username:
[email protected] - Password:
A!wak487
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/680-62-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/680-63-0x00000000004376CE-mapping.dmp family_agenttesla behavioral1/memory/680-64-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\tKZVPq = "C:\\Users\\Admin\\AppData\\Roaming\\tKZVPq\\tKZVPq.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ACCOUNT FORM.exedescription pid process target process PID 1380 set thread context of 680 1380 ACCOUNT FORM.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
ACCOUNT FORM.exeRegSvcs.exepid process 1380 ACCOUNT FORM.exe 1380 ACCOUNT FORM.exe 1380 ACCOUNT FORM.exe 680 RegSvcs.exe 680 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ACCOUNT FORM.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1380 ACCOUNT FORM.exe Token: SeDebugPrivilege 680 RegSvcs.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
ACCOUNT FORM.exedescription pid process target process PID 1380 wrote to memory of 748 1380 ACCOUNT FORM.exe schtasks.exe PID 1380 wrote to memory of 748 1380 ACCOUNT FORM.exe schtasks.exe PID 1380 wrote to memory of 748 1380 ACCOUNT FORM.exe schtasks.exe PID 1380 wrote to memory of 748 1380 ACCOUNT FORM.exe schtasks.exe PID 1380 wrote to memory of 860 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 860 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 860 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 860 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 860 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 860 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 860 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 840 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 840 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 840 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 840 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 840 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 840 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 840 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 524 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 524 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 524 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 524 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 524 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 524 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 524 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe PID 1380 wrote to memory of 680 1380 ACCOUNT FORM.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACCOUNT FORM.exe"C:\Users\Admin\AppData\Local\Temp\ACCOUNT FORM.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qykCLxbojSJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64DA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp64DA.tmpMD5
fd0ac2aa5c7d2a9d694e4d487e0bf143
SHA1da788c7e64eb1dfaeb77a13ea15bfa3c2d05c040
SHA25613f4272b1f988b8e12f6bf4032dd3ac94da52d39c7fbc80db6b84c4764dba4fa
SHA5124259f97e89c78c7e6dfb2a14ae25ea1d840af61c754ab7cf92d3ce9fa791f7a2f8e13285c4d3e0da034849e0d76fdd0a9514b1cf7c265b41d18f77b181103099
-
memory/680-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/680-63-0x00000000004376CE-mapping.dmp
-
memory/680-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/680-66-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/680-67-0x0000000004911000-0x0000000004912000-memory.dmpFilesize
4KB
-
memory/748-60-0x0000000000000000-mapping.dmp
-
memory/1380-54-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/1380-56-0x00000000020E0000-0x00000000020E1000-memory.dmpFilesize
4KB
-
memory/1380-57-0x0000000000640000-0x000000000064E000-memory.dmpFilesize
56KB
-
memory/1380-58-0x0000000004FC0000-0x000000000503B000-memory.dmpFilesize
492KB
-
memory/1380-59-0x0000000004B20000-0x0000000004B58000-memory.dmpFilesize
224KB