Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 11:38
General
-
Target
printing labels and items shipping marks for order 200018808.exe
-
Size
653KB
-
MD5
d66d39a631410003673f85a5c8293e85
-
SHA1
a9d4a8f39d2a58e6134faabc937ca8cce58dae93
-
SHA256
5e02cafcb735f048e38347099086988b2ee9d5c09956f95257602d3a45fd6716
-
SHA512
8cb1f697e0a7725913971d7bcaf5cf8614247f45dff0e443f96d9e79e775cebcf7ca80977fca7ba9c6ace74ae99d477ef61ea8c084b2e1a18b3632d2f0a41a42
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.electronmash.com - Port:
587 - Username:
office@electronmash.com - Password:
Zanzibar2018
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\printing labels and items shipping marks for order 200018808.exe"C:\Users\Admin\AppData\Local\Temp\printing labels and items shipping marks for order 200018808.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GtFqyleloVs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp61EE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\printing labels and items shipping marks for order 200018808.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5163⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp61EE.tmpMD5
a7bcd828e930c80a47f3f8754dc13b53
SHA1363192d986610bd3d3edefdd3ea36b7ae2838065
SHA25628c81bea071f4c535b0a5f5434e0e60c48037cf87021d5088441f2ae32a030de
SHA51219999b8dfa3a5cf00a708b445cfaa4dbdb322a826a5c625f99a12833bdc9476444d6073d12320a1885ee3d11f2ca725553a0f73cb08b49a9777aa7caad886f86
-
memory/1000-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-65-0x00000000004374FE-mapping.dmp
-
memory/1000-67-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1236-57-0x0000000000BE1000-0x0000000000BE2000-memory.dmpFilesize
4KB
-
memory/1236-56-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/1236-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/1472-58-0x0000000000000000-mapping.dmp
-
memory/1564-68-0x0000000000000000-mapping.dmp
-
memory/1564-70-0x0000000001C90000-0x0000000001C91000-memory.dmpFilesize
4KB