Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 11:33
General
-
Target
[Schedule_&_Booking__18th_oct.exe
-
Size
525KB
-
MD5
4114e15de65a9ec4b8eacc3ef60804bb
-
SHA1
eb450264abe3b3ed70167f267cb974ea13d60260
-
SHA256
d81e35754aa34fb2fd0b850b4f1d8080a64a8408623303d3a8abecea5b0a30de
-
SHA512
256e27521a7008896808a798222025769a00aa155148e843a959c969bb9b7e369a4d57f5d1605fe4c1d1f0704c675df638eea032f602c51d1fb78e2af8e6805c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
PxhrKDkvikRcSaP2dkv9
Extracted
quasar
2.1.0.0
Office04
grace.adds-only.xyz:1609
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
wHq4o3k6UfKZv19jkcxs
-
install_name
winrara.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Extracted
quasar
- encryption_key
- install_name
- log_directory
-
reconnect_delay
3000
- startup_key
- subdirectory
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Quasar Payload 3 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
AgentTesla Payload 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swqpSTZh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47A4.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"C:\Users\Admin\AppData\Local\Temp\[Schedule_&_Booking__18th_oct.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\apps.exe"C:\Users\Admin\AppData\Local\Temp\apps.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\apps.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96D8.tmp"4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\apps.exe"C:\Users\Admin\AppData\Local\Temp\apps.exe"4⤵
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"5⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*6⤵
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
672KB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
5.0MB
-
Filesize
356KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
560KB