Analysis
-
max time kernel
118s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
23-10-2021 08:07
Static task
static1
Behavioral task
behavioral1
Sample
7ca0541b.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
7ca0541b.exe
Resource
win10-en-20210920
General
-
Target
7ca0541b.exe
-
Size
783KB
-
MD5
c76f187107bee1ce2df352b05e630356
-
SHA1
2c4e9462828e90573965ea02efc1b22d4020cbe8
-
SHA256
7ca0541b2df62e8b9e2b7b81f0c151f93a9c630d3c31252856932a4a824d3100
-
SHA512
47db99c394dcf9ebd29d5e9058ef34e40bd09163de4473231aad48f3e6326954a8f11442d482e23c89e731bdfd3974f0aad17e3aaacbaca77730997f27851d3a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.electronmash.com - Port:
587 - Username:
office@electronmash.com - Password:
Zanzibar2018
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4632-119-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/4632-120-0x00000000004374FE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
7ca0541b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7ca0541b.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7ca0541b.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7ca0541b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7ca0541b.exedescription pid process target process PID 520 set thread context of 4632 520 7ca0541b.exe 7ca0541b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
7ca0541b.exe7ca0541b.exepid process 520 7ca0541b.exe 4632 7ca0541b.exe 4632 7ca0541b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7ca0541b.exe7ca0541b.exedescription pid process Token: SeDebugPrivilege 520 7ca0541b.exe Token: SeDebugPrivilege 4632 7ca0541b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
7ca0541b.exepid process 4632 7ca0541b.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
7ca0541b.exedescription pid process target process PID 520 wrote to memory of 4492 520 7ca0541b.exe schtasks.exe PID 520 wrote to memory of 4492 520 7ca0541b.exe schtasks.exe PID 520 wrote to memory of 4492 520 7ca0541b.exe schtasks.exe PID 520 wrote to memory of 4632 520 7ca0541b.exe 7ca0541b.exe PID 520 wrote to memory of 4632 520 7ca0541b.exe 7ca0541b.exe PID 520 wrote to memory of 4632 520 7ca0541b.exe 7ca0541b.exe PID 520 wrote to memory of 4632 520 7ca0541b.exe 7ca0541b.exe PID 520 wrote to memory of 4632 520 7ca0541b.exe 7ca0541b.exe PID 520 wrote to memory of 4632 520 7ca0541b.exe 7ca0541b.exe PID 520 wrote to memory of 4632 520 7ca0541b.exe 7ca0541b.exe PID 520 wrote to memory of 4632 520 7ca0541b.exe 7ca0541b.exe -
outlook_office_path 1 IoCs
Processes:
7ca0541b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7ca0541b.exe -
outlook_win_path 1 IoCs
Processes:
7ca0541b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7ca0541b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ca0541b.exe"C:\Users\Admin\AppData\Local\Temp\7ca0541b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jpkwTXwTqIHZh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5281.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\7ca0541b.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\7ca0541b.exe.logMD5
5e7bb97636a484b5a87e60373614279a
SHA136bfdec32eedb141a4a106d89a453326f62593ee
SHA25612ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20
SHA512448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56
-
C:\Users\Admin\AppData\Local\Temp\tmp5281.tmpMD5
6880d6ee8d644ab4545f798e47a78434
SHA1f17d0ea3572e476c264f312f070ab70f2362bd40
SHA25683303c08b1ff4c2dd86b7bb1ca2456524f7c00d291a1b41bf0c2422836d72efa
SHA512506675128c8f1a32bb9fadaccb3591aef4585244784e3657e192e31ac461355456421999026a76d11d57897abbe03ee878a0c3535ac3282f25db8cc503a5a0f1
-
memory/520-115-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/520-116-0x0000000000D71000-0x0000000000D72000-memory.dmpFilesize
4KB
-
memory/4492-117-0x0000000000000000-mapping.dmp
-
memory/4632-119-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4632-120-0x00000000004374FE-mapping.dmp
-
memory/4632-122-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/4632-123-0x0000000000BE1000-0x0000000000BE2000-memory.dmpFilesize
4KB
-
memory/4632-124-0x0000000000BE2000-0x0000000000BE3000-memory.dmpFilesize
4KB