Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 04:37
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-41845597.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
RFQ-41845597.exe
Resource
win10-en-20211014
General
-
Target
RFQ-41845597.exe
-
Size
554KB
-
MD5
03ebac4b300318683abedd76cdb7bde6
-
SHA1
b475b0079d963fc7198cbc12f4f3447ce95da352
-
SHA256
9bca070ab37ea78134d5e9a5203521570bddd110e8ea8a620b702c71ecd89d54
-
SHA512
f9b68b6463872018f20f7fe39d94afe823bf5f47b188c90311c2f6e478822cac435fe7158307cfeb409b243d72d1e865cdc3024d6ca6461ea1bee4cc9d8a743e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ananthahotels.com - Port:
587 - Username:
[email protected] - Password:
india225@#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1600-60-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1600-61-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1600-62-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1600-63-0x00000000004374AE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ-41845597.exedescription pid process target process PID 1428 set thread context of 1600 1428 RFQ-41845597.exe RFQ-41845597.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RFQ-41845597.exepid process 1600 RFQ-41845597.exe 1600 RFQ-41845597.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 432 dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ-41845597.exeRFQ-41845597.exedescription pid process Token: SeDebugPrivilege 1428 RFQ-41845597.exe Token: SeDebugPrivilege 1600 RFQ-41845597.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
RFQ-41845597.exeRFQ-41845597.exedescription pid process target process PID 1428 wrote to memory of 780 1428 RFQ-41845597.exe schtasks.exe PID 1428 wrote to memory of 780 1428 RFQ-41845597.exe schtasks.exe PID 1428 wrote to memory of 780 1428 RFQ-41845597.exe schtasks.exe PID 1428 wrote to memory of 780 1428 RFQ-41845597.exe schtasks.exe PID 1428 wrote to memory of 1600 1428 RFQ-41845597.exe RFQ-41845597.exe PID 1428 wrote to memory of 1600 1428 RFQ-41845597.exe RFQ-41845597.exe PID 1428 wrote to memory of 1600 1428 RFQ-41845597.exe RFQ-41845597.exe PID 1428 wrote to memory of 1600 1428 RFQ-41845597.exe RFQ-41845597.exe PID 1428 wrote to memory of 1600 1428 RFQ-41845597.exe RFQ-41845597.exe PID 1428 wrote to memory of 1600 1428 RFQ-41845597.exe RFQ-41845597.exe PID 1428 wrote to memory of 1600 1428 RFQ-41845597.exe RFQ-41845597.exe PID 1428 wrote to memory of 1600 1428 RFQ-41845597.exe RFQ-41845597.exe PID 1428 wrote to memory of 1600 1428 RFQ-41845597.exe RFQ-41845597.exe PID 1600 wrote to memory of 432 1600 RFQ-41845597.exe dw20.exe PID 1600 wrote to memory of 432 1600 RFQ-41845597.exe dw20.exe PID 1600 wrote to memory of 432 1600 RFQ-41845597.exe dw20.exe PID 1600 wrote to memory of 432 1600 RFQ-41845597.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-41845597.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-41845597.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qLfHHhQPSUpA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70EC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RFQ-41845597.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5203⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp70EC.tmpMD5
70158d9d78306f468671c450bc8ee51c
SHA1bee1b0e614b1d7a5bafef01077056ad13190b108
SHA256bded2e2fdbd0d32fe4bb933f2e96d70172a8c9b95257219a9dfdac4cf7be82d7
SHA512204396d87310c4dc8341939eb412d9cc236f1de88eeef3f9a3e2bd80c53c8cc5918442fe288071814c9375f686e3d5074b4b8f7319f5317bcab59e5a7dd4ff6a
-
memory/432-66-0x0000000000000000-mapping.dmp
-
memory/432-68-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/780-56-0x0000000000000000-mapping.dmp
-
memory/1428-54-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/1428-55-0x0000000000361000-0x0000000000362000-memory.dmpFilesize
4KB
-
memory/1428-53-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/1600-59-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1600-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1600-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1600-63-0x00000000004374AE-mapping.dmp
-
memory/1600-65-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1600-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1600-58-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB