Analysis
-
max time kernel
179s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 09:03
Static task
static1
Behavioral task
behavioral1
Sample
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
Resource
win10v2004-en-20220113
General
-
Target
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
-
Size
610KB
-
MD5
b3a27137bfa9f92fe6b4cc7f0aaf08f4
-
SHA1
266e5d674bd1fe6135bd74658bb8a1d58777bbe0
-
SHA256
37c712662321d51383b50cc3973ba187706384859c6ff4f9e43e8be3c9e6dfe4
-
SHA512
2aec6a1ffd6a1df55ca456ed80b42b28f10f98ab11ab1cfefad29529037e433a7cb527ab081fbcddcf38c70adf2b0bbb484e936f42a5720fbfc2943b7d96a37a
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://nanyainc.cf/ - Port:
21 - Username:
[email protected] - Password:
7qB+iH=KrUUT
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4260-138-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/4260-141-0x0000000005010000-0x00000000055B4000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeb3a27137bfa9f92fe6b4cc7f0aaf08f4.exepid process 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe 4260 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription pid process target process PID 2160 set thread context of 4260 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Drops file in Windows directory 9 IoCs
Processes:
TiWorker.exeb3a27137bfa9f92fe6b4cc7f0aaf08f4.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\svchost.com b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exepid process 4260 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe 4260 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 4260 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe Token: SeShutdownPrivilege 2352 svchost.exe Token: SeCreatePagefilePrivilege 2352 svchost.exe Token: SeShutdownPrivilege 2352 svchost.exe Token: SeCreatePagefilePrivilege 2352 svchost.exe Token: SeShutdownPrivilege 2352 svchost.exe Token: SeCreatePagefilePrivilege 2352 svchost.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe Token: SeBackupPrivilege 1736 TiWorker.exe Token: SeRestorePrivilege 1736 TiWorker.exe Token: SeSecurityPrivilege 1736 TiWorker.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeb3a27137bfa9f92fe6b4cc7f0aaf08f4.exedescription pid process target process PID 312 wrote to memory of 2160 312 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 312 wrote to memory of 2160 312 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 312 wrote to memory of 2160 312 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 2160 wrote to memory of 4260 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 2160 wrote to memory of 4260 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 2160 wrote to memory of 4260 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 2160 wrote to memory of 4260 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 2160 wrote to memory of 4260 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 2160 wrote to memory of 4260 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 2160 wrote to memory of 4260 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe PID 2160 wrote to memory of 4260 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"C:\Users\Admin\AppData\Local\Temp\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeMD5
cc2133f03997221244a4a684e8826f26
SHA16ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737
SHA2564b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c
SHA512d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeMD5
cc2133f03997221244a4a684e8826f26
SHA16ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737
SHA2564b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c
SHA512d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeMD5
cc2133f03997221244a4a684e8826f26
SHA16ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737
SHA2564b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c
SHA512d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91
-
memory/2160-136-0x0000000005D90000-0x0000000005D91000-memory.dmpFilesize
4KB
-
memory/2160-134-0x0000000005850000-0x00000000058E2000-memory.dmpFilesize
584KB
-
memory/2160-135-0x0000000005C30000-0x0000000005CCC000-memory.dmpFilesize
624KB
-
memory/2160-133-0x0000000073B80000-0x0000000074330000-memory.dmpFilesize
7.7MB
-
memory/2160-137-0x0000000006630000-0x0000000006BD4000-memory.dmpFilesize
5.6MB
-
memory/2160-132-0x0000000000F50000-0x0000000000FE4000-memory.dmpFilesize
592KB
-
memory/2352-154-0x000001E26E1E0000-0x000001E26E1E4000-memory.dmpFilesize
16KB
-
memory/4260-138-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4260-140-0x0000000073B80000-0x0000000074330000-memory.dmpFilesize
7.7MB
-
memory/4260-141-0x0000000005010000-0x00000000055B4000-memory.dmpFilesize
5.6MB
-
memory/4260-155-0x0000000005F30000-0x0000000005F96000-memory.dmpFilesize
408KB