Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
02-12-2021 18:17
Static task
static1
Behavioral task
behavioral1
Sample
Image001.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Image001.exe
Resource
win10-en-20211104
General
-
Target
Image001.exe
-
Size
612KB
-
MD5
ff1b46d412d2890828fdeee1d983dea1
-
SHA1
2c2c60bc32b11f866aed66f29ce30c362b352567
-
SHA256
3f9f72ec6bd759569e783528a4a2e0426472dfae328af93afbf9da273e92adf5
-
SHA512
d6ea42338428fc9da1552c1879b334b4a70f121eb9c3fce31b513bc86f2eca5a7ba7bb17a6ec059910b2fda3f2bb6717a975828f6de985630d0420bde153333b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cgyasc.com - Port:
587 - Username:
castilloo@cgyasc.com - Password:
Castle1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1032-57-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1032-58-0x000000000040188B-mapping.dmp family_agenttesla behavioral1/memory/1032-60-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1032-61-0x0000000002170000-0x00000000021A7000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
Image001.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Image001.exe -
Loads dropped DLL 1 IoCs
Processes:
Image001.exepid process 572 Image001.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Image001.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Image001.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Image001.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Image001.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Image001.exedescription pid process target process PID 572 set thread context of 1032 572 Image001.exe Image001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Image001.exepid process 1032 Image001.exe 1032 Image001.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Image001.exedescription pid process Token: SeDebugPrivilege 1032 Image001.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Image001.exedescription pid process target process PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe PID 572 wrote to memory of 1032 572 Image001.exe Image001.exe -
outlook_office_path 1 IoCs
Processes:
Image001.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Image001.exe -
outlook_win_path 1 IoCs
Processes:
Image001.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Image001.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Image001.exe"C:\Users\Admin\AppData\Local\Temp\Image001.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Image001.exe"C:\Users\Admin\AppData\Local\Temp\Image001.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyC10F.tmp\aryw.dllMD5
b1d39a59acc5c67685d5898e25ad7874
SHA1c71b2d3960daec838ca13cd4890b1f4d1589b09b
SHA2560a94e73c19307113508e6a6103ef6abfe7c77bc61be29eca172c97f86fddb6cc
SHA512e71c6ddd29a41f358c5667f667606a9ef1aa1334ac6ce3059b7b81f34279482bcf24e90c74416fbe088103d1d2c4ac048e8a74b82bff414dce86af2ea67f0450
-
memory/572-55-0x0000000075461000-0x0000000075463000-memory.dmpFilesize
8KB
-
memory/1032-57-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1032-58-0x000000000040188B-mapping.dmp
-
memory/1032-60-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1032-61-0x0000000002170000-0x00000000021A7000-memory.dmpFilesize
220KB
-
memory/1032-64-0x00000000046D2000-0x00000000046D3000-memory.dmpFilesize
4KB
-
memory/1032-63-0x00000000046D1000-0x00000000046D2000-memory.dmpFilesize
4KB
-
memory/1032-65-0x00000000046D3000-0x00000000046D4000-memory.dmpFilesize
4KB
-
memory/1032-66-0x00000000046D4000-0x00000000046D5000-memory.dmpFilesize
4KB