Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 11:33
Static task
static1
Behavioral task
behavioral1
Sample
[Schedule_&_Booking__18th_oct.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
[Schedule_&_Booking__18th_oct.exe
Resource
win10-en-20210920
General
-
Target
[Schedule_&_Booking__18th_oct.exe
-
Size
525KB
-
MD5
4114e15de65a9ec4b8eacc3ef60804bb
-
SHA1
eb450264abe3b3ed70167f267cb974ea13d60260
-
SHA256
d81e35754aa34fb2fd0b850b4f1d8080a64a8408623303d3a8abecea5b0a30de
-
SHA512
256e27521a7008896808a798222025769a00aa155148e843a959c969bb9b7e369a4d57f5d1605fe4c1d1f0704c675df638eea032f602c51d1fb78e2af8e6805c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
PxhrKDkvikRcSaP2dkv9
Extracted
quasar
2.1.0.0
Office04
grace.adds-only.xyz:1609
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
wHq4o3k6UfKZv19jkcxs
-
install_name
winrara.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Extracted
quasar
- encryption_key
- install_name
- log_directory
-
reconnect_delay
3000
- startup_key
- subdirectory
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/5012-176-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def behavioral2/memory/5012-177-0x0000000000486C1E-mapping.dmp disable_win_def behavioral2/memory/5012-197-0x0000000004F60000-0x000000000545E000-memory.dmp disable_win_def -
Quasar Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5012-176-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar behavioral2/memory/5012-177-0x0000000000486C1E-mapping.dmp family_quasar behavioral2/memory/5012-197-0x0000000004F60000-0x000000000545E000-memory.dmp family_quasar -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2492-126-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2492-129-0x000000000043780E-mapping.dmp family_agenttesla behavioral2/memory/2492-138-0x00000000054B0000-0x00000000059AE000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
apps.exeapps.exewinrara.exepid process 3244 apps.exe 5012 apps.exe 312 winrara.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
apps.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features apps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" apps.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 [Schedule_&_Booking__18th_oct.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 [Schedule_&_Booking__18th_oct.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 [Schedule_&_Booking__18th_oct.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\desktop_app = "C:\\Users\\Admin\\AppData\\Roaming\\desktop_app\\desktop_app.exe" [Schedule_&_Booking__18th_oct.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exeapps.exedescription pid process target process PID 3580 set thread context of 2492 3580 [Schedule_&_Booking__18th_oct.exe [Schedule_&_Booking__18th_oct.exe PID 3244 set thread context of 5012 3244 apps.exe apps.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2764 schtasks.exe 4992 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exe[Schedule_&_Booking__18th_oct.exepowershell.exeapps.exepowershell.exepowershell.exeapps.exepid process 3580 [Schedule_&_Booking__18th_oct.exe 3580 [Schedule_&_Booking__18th_oct.exe 2492 [Schedule_&_Booking__18th_oct.exe 2492 [Schedule_&_Booking__18th_oct.exe 3124 powershell.exe 3124 powershell.exe 3124 powershell.exe 3244 apps.exe 3244 apps.exe 4952 powershell.exe 4952 powershell.exe 4952 powershell.exe 1212 powershell.exe 1212 powershell.exe 1212 powershell.exe 5012 apps.exe 5012 apps.exe 5012 apps.exe 5012 apps.exe 5012 apps.exe 5012 apps.exe 5012 apps.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exe[Schedule_&_Booking__18th_oct.exepowershell.exeapps.exepowershell.exeapps.exepowershell.exedescription pid process Token: SeDebugPrivilege 3580 [Schedule_&_Booking__18th_oct.exe Token: SeDebugPrivilege 2492 [Schedule_&_Booking__18th_oct.exe Token: SeDebugPrivilege 3124 powershell.exe Token: SeDebugPrivilege 3244 apps.exe Token: SeDebugPrivilege 4952 powershell.exe Token: SeDebugPrivilege 5012 apps.exe Token: SeDebugPrivilege 1212 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exepid process 2492 [Schedule_&_Booking__18th_oct.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exe[Schedule_&_Booking__18th_oct.exeapps.exeapps.execmd.exedescription pid process target process PID 3580 wrote to memory of 3124 3580 [Schedule_&_Booking__18th_oct.exe powershell.exe PID 3580 wrote to memory of 3124 3580 [Schedule_&_Booking__18th_oct.exe powershell.exe PID 3580 wrote to memory of 3124 3580 [Schedule_&_Booking__18th_oct.exe powershell.exe PID 3580 wrote to memory of 2764 3580 [Schedule_&_Booking__18th_oct.exe schtasks.exe PID 3580 wrote to memory of 2764 3580 [Schedule_&_Booking__18th_oct.exe schtasks.exe PID 3580 wrote to memory of 2764 3580 [Schedule_&_Booking__18th_oct.exe schtasks.exe PID 3580 wrote to memory of 2492 3580 [Schedule_&_Booking__18th_oct.exe [Schedule_&_Booking__18th_oct.exe PID 3580 wrote to memory of 2492 3580 [Schedule_&_Booking__18th_oct.exe [Schedule_&_Booking__18th_oct.exe PID 3580 wrote to memory of 2492 3580 [Schedule_&_Booking__18th_oct.exe [Schedule_&_Booking__18th_oct.exe PID 3580 wrote to memory of 2492 3580 [Schedule_&_Booking__18th_oct.exe [Schedule_&_Booking__18th_oct.exe PID 3580 wrote to memory of 2492 3580 [Schedule_&_Booking__18th_oct.exe [Schedule_&_Booking__18th_oct.exe PID 3580 wrote to memory of 2492 3580 [Schedule_&_Booking__18th_oct.exe [Schedule_&_Booking__18th_oct.exe PID 3580 wrote to memory of 2492 3580 [Schedule_&_Booking__18th_oct.exe [Schedule_&_Booking__18th_oct.exe PID 3580 wrote to memory of 2492 3580 [Schedule_&_Booking__18th_oct.exe [Schedule_&_Booking__18th_oct.exe PID 2492 wrote to memory of 3244 2492 [Schedule_&_Booking__18th_oct.exe apps.exe PID 2492 wrote to memory of 3244 2492 [Schedule_&_Booking__18th_oct.exe apps.exe PID 2492 wrote to memory of 3244 2492 [Schedule_&_Booking__18th_oct.exe apps.exe PID 3244 wrote to memory of 4952 3244 apps.exe powershell.exe PID 3244 wrote to memory of 4952 3244 apps.exe powershell.exe PID 3244 wrote to memory of 4952 3244 apps.exe powershell.exe PID 3244 wrote to memory of 4992 3244 apps.exe schtasks.exe PID 3244 wrote to memory of 4992 3244 apps.exe schtasks.exe PID 3244 wrote to memory of 4992 3244 apps.exe schtasks.exe PID 3244 wrote to memory of 5012 3244 apps.exe apps.exe PID 3244 wrote to memory of 5012 3244 apps.exe apps.exe PID 3244 wrote to memory of 5012 3244 apps.exe apps.exe PID 3244 wrote to memory of 5012 3244 apps.exe apps.exe PID 3244 wrote to memory of 5012 3244 apps.exe apps.exe PID 3244 wrote to memory of 5012 3244 apps.exe apps.exe PID 3244 wrote to memory of 5012 3244 apps.exe apps.exe PID 3244 wrote to memory of 5012 3244 apps.exe apps.exe PID 5012 wrote to memory of 312 5012 apps.exe winrara.exe PID 5012 wrote to memory of 312 5012 apps.exe winrara.exe PID 5012 wrote to memory of 312 5012 apps.exe winrara.exe PID 5012 wrote to memory of 1212 5012 apps.exe powershell.exe PID 5012 wrote to memory of 1212 5012 apps.exe powershell.exe PID 5012 wrote to memory of 1212 5012 apps.exe powershell.exe PID 5012 wrote to memory of 4668 5012 apps.exe cmd.exe PID 5012 wrote to memory of 4668 5012 apps.exe cmd.exe PID 5012 wrote to memory of 4668 5012 apps.exe cmd.exe PID 4668 wrote to memory of 1840 4668 cmd.exe cmd.exe PID 4668 wrote to memory of 1840 4668 cmd.exe cmd.exe PID 4668 wrote to memory of 1840 4668 cmd.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 [Schedule_&_Booking__18th_oct.exe -
outlook_win_path 1 IoCs
Processes:
[Schedule_&_Booking__18th_oct.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 [Schedule_&_Booking__18th_oct.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swqpSTZh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47A4.tmp"2⤵
- Creates scheduled task(s)
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\apps.exe"C:\Users\Admin\AppData\Local\Temp\apps.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\apps.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96D8.tmp"4⤵
- Creates scheduled task(s)
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\apps.exe"C:\Users\Admin\AppData\Local\Temp\apps.exe"4⤵
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"5⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit5⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*6⤵PID:1840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
MD5
e33ed3d4cc9b2e5a08ae25747ef47620
SHA1e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7
SHA2560e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f
SHA5129e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e
-
MD5
c70e4b5825918cbc47e09aea453a7c0f
SHA146ad45a466dd2b8f13a709c56aa1db358ab1f6f0
SHA256afca90177e26355a52373f8c739ad1ed734422be9362e75dd64f483abc247aaa
SHA512f2d6c0d09cdc9c10b13828f22e915d08ef058d8835abfc46824a8db35f83ea293500734f8f2e378dc79e130396ba3a6f2b67fe984e9312bba93294b2b55d9d75
-
MD5
131215bb95839443c3ce951a7936e2b3
SHA1a3bca56801e757622056a85b0390554a3b8bfc36
SHA2567f3aff5800fb18de32d75289dd8f82379cd0e9bf1b5abbfa9ebdce94e66cd72a
SHA512de648270b7ca719b94a130b21bac04e1e8ba69d4408afb7fe34b6111e65294c0862c50d98a067d83e044930b0aaac4a83671ccf08372cbf006387974141c61e6
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc
-
MD5
1b465c6989637df1d5c511919c43e457
SHA1317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA2560b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc