Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 11:29
Static task
static1
Behavioral task
behavioral1
Sample
PO_SHZ41.EXE
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PO_SHZ41.EXE
Resource
win10-en-20211014
General
-
Target
PO_SHZ41.EXE
-
Size
72KB
-
MD5
410cce7e5da174865ae1c5d65458d92c
-
SHA1
0ea38171202123c4f0115cb5cefc578bc0b664a3
-
SHA256
8dc1640499a6b1cac921adb0e5899e2fe02f4902b2f6acfa5d4f7c2f277e54cc
-
SHA512
f7eca94b7ec65a7e932d0faeb37703c716b5856f71a696378c01e44ea3c4749b10892e877f4efc75797319648fbe77ad143cf53ba01f4324eb76e4be32128a20
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
xxxlahot2
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-88-0x0000000004400000-0x0000000004436000-memory.dmp family_agenttesla -
Nirsoft 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 792 AdvancedRun.exe 1076 AdvancedRun.exe -
Loads dropped DLL 4 IoCs
Processes:
PO_SHZ41.EXEAdvancedRun.exepid process 1740 PO_SHZ41.EXE 1740 PO_SHZ41.EXE 792 AdvancedRun.exe 792 AdvancedRun.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
PO_SHZ41.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions PO_SHZ41.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PO_SHZ41.EXE = "0" PO_SHZ41.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" PO_SHZ41.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features PO_SHZ41.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths PO_SHZ41.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\⾈⾊⽘⽴⾊⽚⽞⽖⾋⽛⽟⽙⽾⽛⾊\svchost.exe = "0" PO_SHZ41.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection PO_SHZ41.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" PO_SHZ41.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" PO_SHZ41.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PO_SHZ41.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO_SHZ41.EXE Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO_SHZ41.EXE Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO_SHZ41.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
PO_SHZ41.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\獖猻猦獗猧獆猩猬猤猬猧獘猵猣獘 = "C:\\Windows\\Microsoft.NET\\Framework\\⾈⾊⽘⽴⾊⽚⽞⽖⾋⽛⽟⽙⽾⽛⾊\\svchost.exe" PO_SHZ41.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\TmZaMAa = "C:\\Users\\Admin\\AppData\\Roaming\\TmZaMAa\\TmZaMAa.exe" PO_SHZ41.EXE -
Drops file in Windows directory 2 IoCs
Processes:
PO_SHZ41.EXEdescription ioc process File created C:\Windows\Microsoft.NET\Framework\⾈⾊⽘⽴⾊⽚⽞⽖⾋⽛⽟⽙⽾⽛⾊\svchost.exe PO_SHZ41.EXE File opened for modification C:\Windows\Microsoft.NET\Framework\⾈⾊⽘⽴⾊⽚⽞⽖⾋⽛⽟⽙⽾⽛⾊\svchost.exe PO_SHZ41.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exePO_SHZ41.EXEpowershell.exepid process 544 powershell.exe 1376 powershell.exe 572 powershell.exe 792 AdvancedRun.exe 792 AdvancedRun.exe 1076 AdvancedRun.exe 1076 AdvancedRun.exe 1740 PO_SHZ41.EXE 1740 PO_SHZ41.EXE 1944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
PO_SHZ41.EXEpowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exedescription pid process Token: SeDebugPrivilege 1740 PO_SHZ41.EXE Token: SeDebugPrivilege 544 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 792 AdvancedRun.exe Token: SeImpersonatePrivilege 792 AdvancedRun.exe Token: SeDebugPrivilege 1076 AdvancedRun.exe Token: SeImpersonatePrivilege 1076 AdvancedRun.exe Token: SeDebugPrivilege 1944 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
PO_SHZ41.EXEAdvancedRun.exedescription pid process target process PID 1740 wrote to memory of 572 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 572 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 572 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 572 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 1376 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 1376 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 1376 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 1376 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 544 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 544 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 544 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 544 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 792 1740 PO_SHZ41.EXE AdvancedRun.exe PID 1740 wrote to memory of 792 1740 PO_SHZ41.EXE AdvancedRun.exe PID 1740 wrote to memory of 792 1740 PO_SHZ41.EXE AdvancedRun.exe PID 1740 wrote to memory of 792 1740 PO_SHZ41.EXE AdvancedRun.exe PID 792 wrote to memory of 1076 792 AdvancedRun.exe AdvancedRun.exe PID 792 wrote to memory of 1076 792 AdvancedRun.exe AdvancedRun.exe PID 792 wrote to memory of 1076 792 AdvancedRun.exe AdvancedRun.exe PID 792 wrote to memory of 1076 792 AdvancedRun.exe AdvancedRun.exe PID 1740 wrote to memory of 1944 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 1944 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 1944 1740 PO_SHZ41.EXE powershell.exe PID 1740 wrote to memory of 1944 1740 PO_SHZ41.EXE powershell.exe -
outlook_office_path 1 IoCs
Processes:
PO_SHZ41.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO_SHZ41.EXE -
outlook_win_path 1 IoCs
Processes:
PO_SHZ41.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PO_SHZ41.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO_SHZ41.EXE"C:\Users\Admin\AppData\Local\Temp\PO_SHZ41.EXE"1⤵
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\⾈⾊⽘⽴⾊⽚⽞⽖⾋⽛⽟⽙⽾⽛⾊\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO_SHZ41.EXE" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\⾈⾊⽘⽴⾊⽚⽞⽖⾋⽛⽟⽙⽾⽛⾊\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe" /SpecialRun 4101d8 7923⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO_SHZ41.EXE" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
1090217f0c02701cd9fe450aa3a1cd0d
SHA1f20e0fe4b872a71d6babd19b61a0a243ca9f33ea
SHA2562c20e4f1148b06d293cd57dc7c942c1c97de27fbe587f864e0cdb2ea751083d9
SHA512149a1d9f89e64a075f9067c852cd6905bb84695a9c46537639752dbd438802bb67b610ae992a2daab939c4844652440d2a71d44102950ac1a52738f72b013cde
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
1090217f0c02701cd9fe450aa3a1cd0d
SHA1f20e0fe4b872a71d6babd19b61a0a243ca9f33ea
SHA2562c20e4f1148b06d293cd57dc7c942c1c97de27fbe587f864e0cdb2ea751083d9
SHA512149a1d9f89e64a075f9067c852cd6905bb84695a9c46537639752dbd438802bb67b610ae992a2daab939c4844652440d2a71d44102950ac1a52738f72b013cde
-
\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/544-80-0x0000000002442000-0x0000000002444000-memory.dmpFilesize
8KB
-
memory/544-74-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/544-78-0x0000000002441000-0x0000000002442000-memory.dmpFilesize
4KB
-
memory/544-62-0x0000000000000000-mapping.dmp
-
memory/572-79-0x0000000002410000-0x000000000305A000-memory.dmpFilesize
12.3MB
-
memory/572-60-0x0000000000000000-mapping.dmp
-
memory/572-83-0x0000000002410000-0x000000000305A000-memory.dmpFilesize
12.3MB
-
memory/572-82-0x0000000002410000-0x000000000305A000-memory.dmpFilesize
12.3MB
-
memory/792-69-0x0000000000000000-mapping.dmp
-
memory/1076-84-0x0000000000000000-mapping.dmp
-
memory/1376-75-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/1376-77-0x00000000022C1000-0x00000000022C2000-memory.dmpFilesize
4KB
-
memory/1376-61-0x0000000000000000-mapping.dmp
-
memory/1376-81-0x00000000022C2000-0x00000000022C4000-memory.dmpFilesize
8KB
-
memory/1740-59-0x0000000000270000-0x00000000002F2000-memory.dmpFilesize
520KB
-
memory/1740-53-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1740-56-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/1740-57-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1740-55-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1740-88-0x0000000004400000-0x0000000004436000-memory.dmpFilesize
216KB
-
memory/1944-87-0x0000000000000000-mapping.dmp
-
memory/1944-92-0x0000000002431000-0x0000000002432000-memory.dmpFilesize
4KB
-
memory/1944-91-0x0000000002430000-0x0000000002431000-memory.dmpFilesize
4KB
-
memory/1944-93-0x0000000002432000-0x0000000002434000-memory.dmpFilesize
8KB