Analysis
-
max time kernel
131s -
max time network
95s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-09-2021 19:05
Static task
static1
Behavioral task
behavioral1
Sample
ACCOUNT FORM.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ACCOUNT FORM.exe
Resource
win10-en-20210920
General
-
Target
ACCOUNT FORM.exe
-
Size
1.7MB
-
MD5
bb06da848bdf0fb902bc05bfaa2deca3
-
SHA1
efd66a569fb1ea9cbba3c1160cb8a6975560e779
-
SHA256
123de48e610d4e6dacfb9722ccf5073154cd419537a7b60aa510d81e06e51404
-
SHA512
0f820c5e48eadc224cafc3d8d32df853b8041f69f378aa42d5c3f417e152f9af8807dfd0d57813cec75f54d9621edf11fc51c048bf32cbfcf634d93b5ca349a9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ozkengumruk.com.tr - Port:
587 - Username:
[email protected] - Password:
A!wak487
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1876-69-0x00000000004376CE-mapping.dmp family_agenttesla behavioral1/memory/1876-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1876-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\tKZVPq = "C:\\Users\\Admin\\AppData\\Roaming\\tKZVPq\\tKZVPq.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ACCOUNT FORM.exedescription pid process target process PID 1828 set thread context of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ACCOUNT FORM.exeRegSvcs.exepid process 1828 ACCOUNT FORM.exe 1876 RegSvcs.exe 1876 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ACCOUNT FORM.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1828 ACCOUNT FORM.exe Token: SeDebugPrivilege 1876 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ACCOUNT FORM.exedescription pid process target process PID 1828 wrote to memory of 1304 1828 ACCOUNT FORM.exe schtasks.exe PID 1828 wrote to memory of 1304 1828 ACCOUNT FORM.exe schtasks.exe PID 1828 wrote to memory of 1304 1828 ACCOUNT FORM.exe schtasks.exe PID 1828 wrote to memory of 1304 1828 ACCOUNT FORM.exe schtasks.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe PID 1828 wrote to memory of 1876 1828 ACCOUNT FORM.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACCOUNT FORM.exe"C:\Users\Admin\AppData\Local\Temp\ACCOUNT FORM.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qykCLxbojSJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7CEC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7CEC.tmpMD5
a1d19234dab6433c71a0829f79ca09a9
SHA170c62b2c04d67ca4eff96982ce49907858a103dd
SHA256e77955c252b4f07b3424a73edd7fcb06bca639912bc1810284bb6b284ea0e7c8
SHA51292d36709ee246451f2c0f01c65de89cd4d1f95fe8f1f5be6e2a9da36d2ca5648b74d71ae8af238d7fd9a4a0d0cdca1c0b8cf2e70f7e5a1bf47f87140ddf1439e
-
memory/1304-66-0x0000000000000000-mapping.dmp
-
memory/1828-60-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1828-62-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/1828-63-0x0000000000380000-0x000000000038E000-memory.dmpFilesize
56KB
-
memory/1828-64-0x00000000091C0000-0x000000000923B000-memory.dmpFilesize
492KB
-
memory/1828-65-0x0000000000620000-0x0000000000658000-memory.dmpFilesize
224KB
-
memory/1876-69-0x00000000004376CE-mapping.dmp
-
memory/1876-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1876-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1876-72-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/1876-73-0x0000000004B11000-0x0000000004B12000-memory.dmpFilesize
4KB