Analysis
-
max time kernel
119s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 11:40
Static task
static1
Behavioral task
behavioral1
Sample
ENQUIRY.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ENQUIRY.exe
Resource
win10-en-20210920
General
-
Target
ENQUIRY.exe
-
Size
570KB
-
MD5
dfc7cff14929dc6879d88a2c514bfef8
-
SHA1
319f1833848a98c976c1eb074af16a52ee4d1433
-
SHA256
a6229790b0a76fded9219434078e2ba9349cd636ee4fa6c633d0779a464c07f7
-
SHA512
452237738c52331f7dce3d5d6da93464a7be47c4ffe1d782958c562beed0021717465fda0db9115392a4766f2b8f7ef0ccd89645e2b7d8b4fe75ac3ccb70d85b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.aldhiyafainteriors.com - Port:
587 - Username:
rahman@aldhiyafainteriors.com - Password:
dhiyafa@987
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3600-119-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3600-120-0x00000000004376CE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ENQUIRY.exedescription pid process target process PID 3176 set thread context of 3600 3176 ENQUIRY.exe ENQUIRY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ENQUIRY.exedw20.exepid process 3176 ENQUIRY.exe 1384 dw20.exe 1384 dw20.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ENQUIRY.exedw20.exedescription pid process Token: SeDebugPrivilege 3176 ENQUIRY.exe Token: SeRestorePrivilege 1384 dw20.exe Token: SeBackupPrivilege 1384 dw20.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
ENQUIRY.exeENQUIRY.exedescription pid process target process PID 3176 wrote to memory of 2236 3176 ENQUIRY.exe schtasks.exe PID 3176 wrote to memory of 2236 3176 ENQUIRY.exe schtasks.exe PID 3176 wrote to memory of 2236 3176 ENQUIRY.exe schtasks.exe PID 3176 wrote to memory of 3600 3176 ENQUIRY.exe ENQUIRY.exe PID 3176 wrote to memory of 3600 3176 ENQUIRY.exe ENQUIRY.exe PID 3176 wrote to memory of 3600 3176 ENQUIRY.exe ENQUIRY.exe PID 3176 wrote to memory of 3600 3176 ENQUIRY.exe ENQUIRY.exe PID 3176 wrote to memory of 3600 3176 ENQUIRY.exe ENQUIRY.exe PID 3176 wrote to memory of 3600 3176 ENQUIRY.exe ENQUIRY.exe PID 3176 wrote to memory of 3600 3176 ENQUIRY.exe ENQUIRY.exe PID 3176 wrote to memory of 3600 3176 ENQUIRY.exe ENQUIRY.exe PID 3600 wrote to memory of 1384 3600 ENQUIRY.exe dw20.exe PID 3600 wrote to memory of 1384 3600 ENQUIRY.exe dw20.exe PID 3600 wrote to memory of 1384 3600 ENQUIRY.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ENQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\ENQUIRY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qhikTxSZJsELY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F52.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ENQUIRY.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6963⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ENQUIRY.exe.logMD5
568e6f2b186c39075772d775e4189f57
SHA102f642cfdd1491b1ce69e81925ed336975e2f972
SHA256d29bbfbb510acd8716133feeade8f914076963ccc38abb4b5a64a8d32bac44e4
SHA512ef3b7f6d6b355c41ca9abb40d769622ea3f79787d8d2501ad5a135fa5cc78712175190386c8e05ee863a3bc046bc09eee22310555d31e4d57a4652f280283156
-
C:\Users\Admin\AppData\Local\Temp\tmp5F52.tmpMD5
bd91f08913ab041aee2ccfc660acee29
SHA1e59e59c9a51b3882908d4f5e077e205879da66f7
SHA2560b5bcebe46f1999ce00590b0d50c894215317ac48d62d0b86ab9c14b62f34809
SHA51228ee8dc24703648c073219b2f864203a680ebe444acbcbd0e96a610fd7e5a374ecd1dab791b20c43b74436d1e71d842f35bdf33097a70f04276d38204ed48b18
-
memory/1384-122-0x0000000000000000-mapping.dmp
-
memory/2236-117-0x0000000000000000-mapping.dmp
-
memory/3176-115-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/3176-116-0x00000000024B2000-0x00000000024B4000-memory.dmpFilesize
8KB
-
memory/3600-119-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3600-120-0x00000000004376CE-mapping.dmp
-
memory/3600-123-0x0000000002AE0000-0x0000000002AE1000-memory.dmpFilesize
4KB