Overview

overview

10

Static

static

SecuriteIn...88.exe

windows7_x64

9

SecuriteIn...88.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    01-12-2021 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe

  • Size

    487KB

  • MD5

    604c93c0c41e8eb994e7315b3885ec38

  • SHA1

    9af5baeab9f2461335ad3e2439bc3e5cb850932e

  • SHA256

    af29096b6cbbd74cca47337f62cc2a5553eb3cf225de3dcc993a14e452c3e9bd

  • SHA512

    59307cc35eb0606d33bd0cde817e82c1e941d9d2e903888634a77357570b67b6b4b138dc19b502b9dcf8209b46bfae757a0a6200bd56280990c76f17936948b9

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.huiijingco.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    zVYrdtq4

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3384
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1928
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"
      2⤵
        PID:3148
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"
        2⤵
          PID:296
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"
          2⤵
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1496

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe.log
        MD5

        12557ab909651a6f99d3503d614d3562

        SHA1

        b86745768059a514bea3a438e1e96086af463246

        SHA256

        9589c869703e95d40d5870c60f66d8460f7914e9fe8dd579533c84148112babd

        SHA512

        10cdb2fa7cf054af937b4aeddfe16fe755d6b09db5a51f7052adbf472b4b435e16c141f3712762f3b67f990c3efcfa47659576988e321214c747d6cd98e75521

        Download Submit
      • memory/1496-132-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/1496-143-0x0000000005300000-0x0000000005301000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1496-133-0x0000000000436C3E-mapping.dmp
        Download
      • memory/1928-124-0x0000000000000000-mapping.dmp
        Download
      • memory/1928-139-0x0000000007A20000-0x0000000007A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-237-0x0000000006C53000-0x0000000006C54000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-168-0x0000000009570000-0x0000000009571000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-167-0x000000007ED40000-0x000000007ED41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-166-0x00000000093A0000-0x00000000093A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-127-0x0000000004660000-0x0000000004661000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-126-0x0000000004660000-0x0000000004661000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-128-0x0000000004770000-0x0000000004771000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-129-0x0000000007290000-0x0000000007291000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-130-0x0000000006C50000-0x0000000006C51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-131-0x0000000006C52000-0x0000000006C53000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-161-0x0000000009230000-0x0000000009231000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-154-0x0000000009270000-0x00000000092A3000-memory.dmp
        Filesize

        204KB

        Download
      • memory/1928-147-0x0000000004660000-0x0000000004661000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-146-0x0000000008200000-0x0000000008201000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-140-0x0000000007A50000-0x0000000007A51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-142-0x0000000007BA0000-0x0000000007BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-145-0x0000000008310000-0x0000000008311000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-144-0x0000000007B30000-0x0000000007B31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3384-117-0x00000000053C0000-0x00000000053C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3384-121-0x0000000005B90000-0x0000000005B91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3384-118-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3384-119-0x00000000029A0000-0x00000000029A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3384-120-0x0000000004F30000-0x0000000004F31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3384-125-0x0000000006090000-0x0000000006091000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3384-115-0x00000000006A0000-0x00000000006A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3384-123-0x0000000005EA0000-0x0000000005F09000-memory.dmp
        Filesize

        420KB

        Download
      • memory/3384-122-0x00000000059C0000-0x00000000059C6000-memory.dmp
        Filesize

        24KB

        Download