Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
18-10-2021 11:33
Static task
static1
Behavioral task
behavioral1
Sample
[Schedule_&_Booking__18th_oct.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
[Schedule_&_Booking__18th_oct.exe
Resource
win10-en-20210920
General
-
Target
[Schedule_&_Booking__18th_oct.exe
-
Size
525KB
-
MD5
4114e15de65a9ec4b8eacc3ef60804bb
-
SHA1
eb450264abe3b3ed70167f267cb974ea13d60260
-
SHA256
d81e35754aa34fb2fd0b850b4f1d8080a64a8408623303d3a8abecea5b0a30de
-
SHA512
256e27521a7008896808a798222025769a00aa155148e843a959c969bb9b7e369a4d57f5d1605fe4c1d1f0704c675df638eea032f602c51d1fb78e2af8e6805c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
PxhrKDkvikRcSaP2dkv9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/616-64-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/616-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/616-66-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/616-67-0x000000000043780E-mapping.dmp family_agenttesla behavioral1/memory/616-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/668-86-0x0000000002520000-0x000000000316A000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
apps.exeapps.exewinrara.exepid Process 1972 apps.exe 2032 apps.exe 1664 winrara.exe -
Loads dropped DLL 3 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exeapps.exeapps.exepid Process 616 [Schedule_&_Booking__18th_oct.exe 1972 apps.exe 2032 apps.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
apps.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" apps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features apps.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 [Schedule_&_Booking__18th_oct.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 [Schedule_&_Booking__18th_oct.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 [Schedule_&_Booking__18th_oct.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\desktop_app = "C:\\Users\\Admin\\AppData\\Roaming\\desktop_app\\desktop_app.exe" [Schedule_&_Booking__18th_oct.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exedescription pid Process procid_target PID 2024 set thread context of 616 2024 [Schedule_&_Booking__18th_oct.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 1464 schtasks.exe 1352 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exe[Schedule_&_Booking__18th_oct.exepowershell.exepowershell.exepowershell.exepid Process 2024 [Schedule_&_Booking__18th_oct.exe 2024 [Schedule_&_Booking__18th_oct.exe 616 [Schedule_&_Booking__18th_oct.exe 616 [Schedule_&_Booking__18th_oct.exe 1156 powershell.exe 668 powershell.exe 1556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exe[Schedule_&_Booking__18th_oct.exepowershell.exepowershell.exeapps.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2024 [Schedule_&_Booking__18th_oct.exe Token: SeDebugPrivilege 616 [Schedule_&_Booking__18th_oct.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 668 powershell.exe Token: SeDebugPrivilege 2032 apps.exe Token: SeDebugPrivilege 1556 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exepid Process 616 [Schedule_&_Booking__18th_oct.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exe[Schedule_&_Booking__18th_oct.exeapps.exedescription pid Process procid_target PID 2024 wrote to memory of 1156 2024 [Schedule_&_Booking__18th_oct.exe 27 PID 2024 wrote to memory of 1156 2024 [Schedule_&_Booking__18th_oct.exe 27 PID 2024 wrote to memory of 1156 2024 [Schedule_&_Booking__18th_oct.exe 27 PID 2024 wrote to memory of 1156 2024 [Schedule_&_Booking__18th_oct.exe 27 PID 2024 wrote to memory of 1464 2024 [Schedule_&_Booking__18th_oct.exe 29 PID 2024 wrote to memory of 1464 2024 [Schedule_&_Booking__18th_oct.exe 29 PID 2024 wrote to memory of 1464 2024 [Schedule_&_Booking__18th_oct.exe 29 PID 2024 wrote to memory of 1464 2024 [Schedule_&_Booking__18th_oct.exe 29 PID 2024 wrote to memory of 616 2024 [Schedule_&_Booking__18th_oct.exe 31 PID 2024 wrote to memory of 616 2024 [Schedule_&_Booking__18th_oct.exe 31 PID 2024 wrote to memory of 616 2024 [Schedule_&_Booking__18th_oct.exe 31 PID 2024 wrote to memory of 616 2024 [Schedule_&_Booking__18th_oct.exe 31 PID 2024 wrote to memory of 616 2024 [Schedule_&_Booking__18th_oct.exe 31 PID 2024 wrote to memory of 616 2024 [Schedule_&_Booking__18th_oct.exe 31 PID 2024 wrote to memory of 616 2024 [Schedule_&_Booking__18th_oct.exe 31 PID 2024 wrote to memory of 616 2024 [Schedule_&_Booking__18th_oct.exe 31 PID 2024 wrote to memory of 616 2024 [Schedule_&_Booking__18th_oct.exe 31 PID 616 wrote to memory of 1972 616 [Schedule_&_Booking__18th_oct.exe 35 PID 616 wrote to memory of 1972 616 [Schedule_&_Booking__18th_oct.exe 35 PID 616 wrote to memory of 1972 616 [Schedule_&_Booking__18th_oct.exe 35 PID 616 wrote to memory of 1972 616 [Schedule_&_Booking__18th_oct.exe 35 PID 2032 wrote to memory of 1664 2032 apps.exe 41 PID 2032 wrote to memory of 1664 2032 apps.exe 41 PID 2032 wrote to memory of 1664 2032 apps.exe 41 PID 2032 wrote to memory of 1664 2032 apps.exe 41 PID 2032 wrote to memory of 1556 2032 apps.exe 42 PID 2032 wrote to memory of 1556 2032 apps.exe 42 PID 2032 wrote to memory of 1556 2032 apps.exe 42 PID 2032 wrote to memory of 1556 2032 apps.exe 42 -
outlook_office_path 1 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 [Schedule_&_Booking__18th_oct.exe -
outlook_win_path 1 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 [Schedule_&_Booking__18th_oct.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swqpSTZh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA1B.tmp"2⤵
- Creates scheduled task(s)
PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:616 -
C:\Users\Admin\AppData\Local\Temp\apps.exe"C:\Users\Admin\AppData\Local\Temp\apps.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\apps.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1F15.tmp"4⤵
- Creates scheduled task(s)
PID:1352
-
-
C:\Users\Admin\AppData\Local\Temp\apps.exe"C:\Users\Admin\AppData\Local\Temp\apps.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"5⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD58bcd43e5cbc49784ccb6b9c4fa96b4fc
SHA12c47d3831102881b193f19910bac1b532088ec3f
SHA256e3806ea6fef06a63d4dab5a3d422bc1dae6b1526e8eb76ddf066085f300fe6bc
SHA5124b95cbee2356d0f250b42578d491611226aae3b733ed28e7a3d114bf192a4eec1ae664d1082e4d500f66a4310a096603979c3e483834f6717cbedc8e05f9a523
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5eee16aafc61d60204a672d14d5504c68
SHA16b7a7771dfb6c655ab331428a237f02d6b766458
SHA25604d179b73c8a67214b931b8ea92d76895155eb038f0a5ee8ee8f7c83392221d9
SHA51221fa2a789e43a824878f6048262b315005f7c63a35378ebf17edbcdb5e1b1a9f8ac958a3220b9440bcea33d12f78ec451c11cd7bcceb1bead0fafc92d0585dbc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc