Analysis
-
max time kernel
133s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 05:46
Static task
static1
Behavioral task
behavioral1
Sample
QUOTE 7254.bat.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
QUOTE 7254.bat.exe
Resource
win10-en-20210920
General
-
Target
QUOTE 7254.bat.exe
-
Size
578KB
-
MD5
4d0f6d1430135a6779417b51294af53c
-
SHA1
a473af0c7fa93abf4ee9f780664eee49843ca008
-
SHA256
810834cae1e8be03e2534968ea0a1132a6d2dd18d8fd3e366c3d9dca3fb05846
-
SHA512
67f89029d4185a8335303d43eee87aae9cd5e2c7faf6f7f67b32116b5d27daae9e71bd48132c066b3b7a57d63430334ce073e818fcebe0e50c0114a0196ccbe6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.rapidmail.ec - Port:
587 - Username:
anams@rapidmail.ec - Password:
icui4cu2@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3276-126-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3276-127-0x0000000000436D3E-mapping.dmp family_agenttesla behavioral2/memory/3276-132-0x0000000005710000-0x0000000005C0E000-memory.dmp family_agenttesla -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
QUOTE 7254.bat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 QUOTE 7254.bat.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 QUOTE 7254.bat.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 QUOTE 7254.bat.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
QUOTE 7254.bat.exedescription pid process target process PID 2180 set thread context of 3276 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
QUOTE 7254.bat.exeQUOTE 7254.bat.exepid process 2180 QUOTE 7254.bat.exe 2180 QUOTE 7254.bat.exe 2180 QUOTE 7254.bat.exe 2180 QUOTE 7254.bat.exe 3276 QUOTE 7254.bat.exe 3276 QUOTE 7254.bat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
QUOTE 7254.bat.exeQUOTE 7254.bat.exedescription pid process Token: SeDebugPrivilege 2180 QUOTE 7254.bat.exe Token: SeDebugPrivilege 3276 QUOTE 7254.bat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
QUOTE 7254.bat.exedescription pid process target process PID 2180 wrote to memory of 4080 2180 QUOTE 7254.bat.exe schtasks.exe PID 2180 wrote to memory of 4080 2180 QUOTE 7254.bat.exe schtasks.exe PID 2180 wrote to memory of 4080 2180 QUOTE 7254.bat.exe schtasks.exe PID 2180 wrote to memory of 3956 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe PID 2180 wrote to memory of 3956 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe PID 2180 wrote to memory of 3956 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe PID 2180 wrote to memory of 3276 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe PID 2180 wrote to memory of 3276 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe PID 2180 wrote to memory of 3276 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe PID 2180 wrote to memory of 3276 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe PID 2180 wrote to memory of 3276 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe PID 2180 wrote to memory of 3276 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe PID 2180 wrote to memory of 3276 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe PID 2180 wrote to memory of 3276 2180 QUOTE 7254.bat.exe QUOTE 7254.bat.exe -
outlook_office_path 1 IoCs
Processes:
QUOTE 7254.bat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 QUOTE 7254.bat.exe -
outlook_win_path 1 IoCs
Processes:
QUOTE 7254.bat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 QUOTE 7254.bat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTE 7254.bat.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE 7254.bat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OgXhLeamRasUa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A72.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\QUOTE 7254.bat.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE 7254.bat.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\QUOTE 7254.bat.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE 7254.bat.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2180-122-0x0000000005550000-0x0000000005555000-memory.dmpFilesize
20KB
-
memory/2180-124-0x0000000007BB0000-0x0000000007C19000-memory.dmpFilesize
420KB
-
memory/2180-118-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/2180-119-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/2180-120-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/2180-121-0x00000000051B0000-0x00000000056AE000-memory.dmpFilesize
5.0MB
-
memory/2180-117-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/2180-123-0x0000000007A10000-0x0000000007A11000-memory.dmpFilesize
4KB
-
memory/2180-115-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/3276-126-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3276-127-0x0000000000436D3E-mapping.dmp
-
memory/3276-132-0x0000000005710000-0x0000000005C0E000-memory.dmpFilesize
5.0MB
-
memory/3276-133-0x0000000005BC0000-0x0000000005BC1000-memory.dmpFilesize
4KB
-
memory/3276-134-0x0000000006470000-0x0000000006471000-memory.dmpFilesize
4KB
-
memory/4080-125-0x0000000000000000-mapping.dmp