Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 20:17
Static task
static1
Behavioral task
behavioral1
Sample
UPDATED DN.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
UPDATED DN.exe
Resource
win10-en-20211014
General
-
Target
UPDATED DN.exe
-
Size
928KB
-
MD5
c0059f77c623451c9b85287c735df32f
-
SHA1
e1dcab797de118082168f787835e67324cca9b7a
-
SHA256
feb91cde2c89cdf45cd078485f4f98683c11ec7d5a044a73968d31c2dcaa7e81
-
SHA512
86728230a7835b7ca1a0df7e5f78d3ac25071c88146d39513bc5f9f4bfd1684476ece1df33169a3ac7f4313b427a8bd4890cbd2316aacb86522f26049e979167
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.manlogistics.in - Port:
587 - Username:
[email protected] - Password:
Ma&*$367Jhn
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1908-61-0x0000000000400000-0x000000000047E000-memory.dmp family_agenttesla behavioral1/memory/1908-62-0x0000000000400000-0x000000000047E000-memory.dmp family_agenttesla behavioral1/memory/1908-63-0x0000000000400000-0x000000000047E000-memory.dmp family_agenttesla behavioral1/memory/1908-64-0x00000000004376FE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
UPDATED DN.exedescription pid process target process PID 528 set thread context of 1908 528 UPDATED DN.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
UPDATED DN.exepid process 528 UPDATED DN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 1164 dw20.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
UPDATED DN.exedescription pid process Token: SeDebugPrivilege 528 UPDATED DN.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
UPDATED DN.exeRegSvcs.exedescription pid process target process PID 528 wrote to memory of 1724 528 UPDATED DN.exe schtasks.exe PID 528 wrote to memory of 1724 528 UPDATED DN.exe schtasks.exe PID 528 wrote to memory of 1724 528 UPDATED DN.exe schtasks.exe PID 528 wrote to memory of 1724 528 UPDATED DN.exe schtasks.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 528 wrote to memory of 1908 528 UPDATED DN.exe RegSvcs.exe PID 1908 wrote to memory of 1164 1908 RegSvcs.exe dw20.exe PID 1908 wrote to memory of 1164 1908 RegSvcs.exe dw20.exe PID 1908 wrote to memory of 1164 1908 RegSvcs.exe dw20.exe PID 1908 wrote to memory of 1164 1908 RegSvcs.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UPDATED DN.exe"C:\Users\Admin\AppData\Local\Temp\UPDATED DN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xwUnvexrqIZOUN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAED5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 3883⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAED5.tmpMD5
900c422beb885ac40d80311eae16b4d7
SHA189e9e3a30370a907a2a7291535122cf3c19f6370
SHA25661d39cd10e20acbb70bcc99de3bb474be623a59c506fcf2f17bf4380ecfbbc33
SHA5125aea082224ad14d99872aef28e16ba6695576b220e9eaf665e6ea21f2af4eec597478bf63fd4e6abf1b7c1f6195a77df4dd7e21db315b2c54c631a46720ec911
-
memory/528-55-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/528-56-0x0000000000761000-0x0000000000762000-memory.dmpFilesize
4KB
-
memory/528-54-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB
-
memory/1164-66-0x0000000000000000-mapping.dmp
-
memory/1164-69-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/1724-57-0x0000000000000000-mapping.dmp
-
memory/1908-59-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1908-62-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1908-63-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1908-64-0x00000000004376FE-mapping.dmp
-
memory/1908-61-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1908-68-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/1908-60-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB