Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 11:40
Static task
static1
Behavioral task
behavioral1
Sample
ENQUIRY.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ENQUIRY.exe
Resource
win10-en-20210920
General
-
Target
ENQUIRY.exe
-
Size
570KB
-
MD5
dfc7cff14929dc6879d88a2c514bfef8
-
SHA1
319f1833848a98c976c1eb074af16a52ee4d1433
-
SHA256
a6229790b0a76fded9219434078e2ba9349cd636ee4fa6c633d0779a464c07f7
-
SHA512
452237738c52331f7dce3d5d6da93464a7be47c4ffe1d782958c562beed0021717465fda0db9115392a4766f2b8f7ef0ccd89645e2b7d8b4fe75ac3ccb70d85b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.aldhiyafainteriors.com - Port:
587 - Username:
rahman@aldhiyafainteriors.com - Password:
dhiyafa@987
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/516-61-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/516-62-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/516-63-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/516-64-0x00000000004376CE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ENQUIRY.exedescription pid process target process PID 332 set thread context of 516 332 ENQUIRY.exe ENQUIRY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ENQUIRY.exepid process 332 ENQUIRY.exe 332 ENQUIRY.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 1120 dw20.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ENQUIRY.exedescription pid process Token: SeDebugPrivilege 332 ENQUIRY.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
ENQUIRY.exeENQUIRY.exedescription pid process target process PID 332 wrote to memory of 636 332 ENQUIRY.exe schtasks.exe PID 332 wrote to memory of 636 332 ENQUIRY.exe schtasks.exe PID 332 wrote to memory of 636 332 ENQUIRY.exe schtasks.exe PID 332 wrote to memory of 636 332 ENQUIRY.exe schtasks.exe PID 332 wrote to memory of 272 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 272 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 272 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 272 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 516 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 516 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 516 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 516 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 516 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 516 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 516 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 516 332 ENQUIRY.exe ENQUIRY.exe PID 332 wrote to memory of 516 332 ENQUIRY.exe ENQUIRY.exe PID 516 wrote to memory of 1120 516 ENQUIRY.exe dw20.exe PID 516 wrote to memory of 1120 516 ENQUIRY.exe dw20.exe PID 516 wrote to memory of 1120 516 ENQUIRY.exe dw20.exe PID 516 wrote to memory of 1120 516 ENQUIRY.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ENQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\ENQUIRY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qhikTxSZJsELY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7935.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ENQUIRY.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ENQUIRY.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 3923⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7935.tmpMD5
d8a25d9ba075181dd043afbaab152133
SHA1fa8aff902d3e3ad2945f0dbace140dd82953083f
SHA256673c6fb9405c0844296bfcc9f1b80582c536d1b7b5fc801f701697f5e3346a62
SHA51286d6309ff213ab43e35853d68f07bb66a10afa10d7c304285962201a80d71c125dc48eca9c5604b6d7e854c40c614352a1c597af0a6528b364ce7243ac532ea7
-
memory/332-55-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/332-56-0x0000000000111000-0x0000000000112000-memory.dmpFilesize
4KB
-
memory/332-54-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/516-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/516-59-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/516-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/516-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/516-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/516-64-0x00000000004376CE-mapping.dmp
-
memory/516-68-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/636-57-0x0000000000000000-mapping.dmp
-
memory/1120-66-0x0000000000000000-mapping.dmp
-
memory/1120-69-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB