Overview

overview

10

Static

static

pol.exe

windows11_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    126s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    19-10-2021 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pol.exe

  • Size

    627KB

  • MD5

    1363b11e2105d3486b2b5e8479c57a12

  • SHA1

    b9d24a83153aa0af8b1d00214096ddc75d0464e1

  • SHA256

    1a2283bb101bc94c20d48d0ad06f11ce6cb7d0ad76e117a4176b71900dd4c6b3

  • SHA512

    ac431b6933b6b46e73e958efed679986df80b8b867536908375b36bef259e4521b6488dea91c30ceb1cfd92b0c26a1f5d044ea4d824eff2eaa3280191575765b

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    sg2plcpnl0023.prod.sin2.secureserver.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    User@40378

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pol.exe
    "C:\Users\Admin\AppData\Local\Temp\pol.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Drops file in Drivers directory
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3048
  • C:\Windows\System32\Upfc.exe
    C:\Windows\System32\Upfc.exe /launchtype periodic /cv I3fkV4owRUy1ZxZX4HESJw.0
    1⤵
      PID:4956
    • C:\Windows\System32\sihclient.exe
      C:\Windows\System32\sihclient.exe /cv pVzHgpXms02TJxnTGiup5w.0.2
      1⤵
      • Modifies data under HKEY_USERS
      PID:4620
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Modifies data under HKEY_USERS
      PID:3816
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -s W32Time
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4924
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
      1⤵
        PID:2832

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3048-160-0x0000000000000000-mapping.dmp
        Download
      • memory/3048-180-0x0000000005000000-0x00000000055A6000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3048-178-0x00000000067A0000-0x00000000067A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3048-171-0x00000000062F0000-0x00000000062F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3048-170-0x0000000006240000-0x0000000006241000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3048-169-0x0000000005000000-0x00000000055A6000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3048-161-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3584-159-0x0000000007860000-0x00000000078DD000-memory.dmp
        Filesize

        500KB

        Download
      • memory/3584-149-0x0000000000030000-0x0000000000031000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-156-0x0000000004A70000-0x0000000005016000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3584-157-0x0000000007390000-0x0000000007395000-memory.dmp
        Filesize

        20KB

        Download
      • memory/3584-158-0x00000000076C0000-0x00000000076C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-155-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-154-0x00000000055D0000-0x00000000055D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-153-0x0000000004C70000-0x0000000004C71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-152-0x0000000004B60000-0x0000000004B61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-151-0x0000000005020000-0x0000000005021000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3816-146-0x0000018C32160000-0x0000018C32170000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3816-172-0x0000018C34AA0000-0x0000018C34AA4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3816-173-0x0000018C34A60000-0x0000018C34A61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3816-174-0x0000018C325E0000-0x0000018C325E4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3816-175-0x0000018C325D0000-0x0000018C325D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3816-176-0x0000018C325D0000-0x0000018C325D4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3816-177-0x0000018C324B0000-0x0000018C324B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3816-148-0x0000018C325B0000-0x0000018C325B4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3816-147-0x0000018C321E0000-0x0000018C321F0000-memory.dmp
        Filesize

        64KB

        Download