Analysis
-
max time kernel
127s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 19:04
Static task
static1
Behavioral task
behavioral1
Sample
ACCOUNT FORM.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ACCOUNT FORM.exe
Resource
win10-en-20210920
General
-
Target
ACCOUNT FORM.exe
-
Size
1.7MB
-
MD5
bb06da848bdf0fb902bc05bfaa2deca3
-
SHA1
efd66a569fb1ea9cbba3c1160cb8a6975560e779
-
SHA256
123de48e610d4e6dacfb9722ccf5073154cd419537a7b60aa510d81e06e51404
-
SHA512
0f820c5e48eadc224cafc3d8d32df853b8041f69f378aa42d5c3f417e152f9af8807dfd0d57813cec75f54d9621edf11fc51c048bf32cbfcf634d93b5ca349a9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ozkengumruk.com.tr - Port:
587 - Username:
[email protected] - Password:
A!wak487
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/2204-134-0x0000000004CF0000-0x00000000051EE000-memory.dmp disable_win_def -
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2204-128-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2204-129-0x00000000004376CE-mapping.dmp family_agenttesla behavioral2/memory/2204-134-0x0000000004CF0000-0x00000000051EE000-memory.dmp family_agenttesla behavioral2/memory/2204-139-0x0000000004CF0000-0x00000000051EE000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\tKZVPq = "C:\\Users\\Admin\\AppData\\Roaming\\tKZVPq\\tKZVPq.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ACCOUNT FORM.exedescription pid process target process PID 2668 set thread context of 2204 2668 ACCOUNT FORM.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ACCOUNT FORM.exeRegSvcs.exepid process 2668 ACCOUNT FORM.exe 2204 RegSvcs.exe 2204 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ACCOUNT FORM.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2668 ACCOUNT FORM.exe Token: SeDebugPrivilege 2204 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ACCOUNT FORM.exedescription pid process target process PID 2668 wrote to memory of 3584 2668 ACCOUNT FORM.exe schtasks.exe PID 2668 wrote to memory of 3584 2668 ACCOUNT FORM.exe schtasks.exe PID 2668 wrote to memory of 3584 2668 ACCOUNT FORM.exe schtasks.exe PID 2668 wrote to memory of 2204 2668 ACCOUNT FORM.exe RegSvcs.exe PID 2668 wrote to memory of 2204 2668 ACCOUNT FORM.exe RegSvcs.exe PID 2668 wrote to memory of 2204 2668 ACCOUNT FORM.exe RegSvcs.exe PID 2668 wrote to memory of 2204 2668 ACCOUNT FORM.exe RegSvcs.exe PID 2668 wrote to memory of 2204 2668 ACCOUNT FORM.exe RegSvcs.exe PID 2668 wrote to memory of 2204 2668 ACCOUNT FORM.exe RegSvcs.exe PID 2668 wrote to memory of 2204 2668 ACCOUNT FORM.exe RegSvcs.exe PID 2668 wrote to memory of 2204 2668 ACCOUNT FORM.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACCOUNT FORM.exe"C:\Users\Admin\AppData\Local\Temp\ACCOUNT FORM.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qykCLxbojSJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp24A0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp24A0.tmpMD5
7b604623bb7e832481d5965bbe50df35
SHA18f556607f23d4e15544ab0acde254e3bc019d835
SHA25662a8955aad224db269b547b4bc4efc5698cbe3bfc48f42eb98677b2dc7c1c675
SHA5126d361dca9c2ed7f57cab0c079b1a96f5511341c39b342757ea90b03eabf6c0c571c31be5f61349a2d723e9dde9817b72520eda4477e2c21c90b963a493bb46ee
-
memory/2204-139-0x0000000004CF0000-0x00000000051EE000-memory.dmpFilesize
5.0MB
-
memory/2204-136-0x00000000059E0000-0x00000000059E1000-memory.dmpFilesize
4KB
-
memory/2204-135-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/2204-134-0x0000000004CF0000-0x00000000051EE000-memory.dmpFilesize
5.0MB
-
memory/2204-129-0x00000000004376CE-mapping.dmp
-
memory/2204-128-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2668-120-0x0000000004AF0000-0x0000000004FEE000-memory.dmpFilesize
5.0MB
-
memory/2668-124-0x0000000008300000-0x000000000837B000-memory.dmpFilesize
492KB
-
memory/2668-125-0x0000000008380000-0x00000000083B8000-memory.dmpFilesize
224KB
-
memory/2668-123-0x0000000004480000-0x000000000448E000-memory.dmpFilesize
56KB
-
memory/2668-122-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/2668-121-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/2668-115-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/2668-119-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/2668-118-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/2668-117-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/3584-126-0x0000000000000000-mapping.dmp