Analysis
-
max time kernel
153s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:18
General
-
Target
Pictures.scr
-
Size
614KB
-
MD5
0548042de08d966daf12706ecef02860
-
SHA1
2551f1cf8b224368ebbfaa02e39ad360c9693658
-
SHA256
1e7474f09fbb2601bdc6f5e77ec90a9db99115e8392ba1629349f9b59f54d272
-
SHA512
e0c1f998eb363454bd11dae8376b77ed373004078f61e0f8bf81baae01a5d08608290ead31236506aceacba60fa51456c49ac702bceea93f2cf14edd73931fb7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
z123456789ok
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pictures.scr"C:\Users\Admin\AppData\Local\Temp\Pictures.scr" /S1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hydlmGyJywexkm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp62AA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp62AA.tmpFilesize
1KB
MD5e953870cdecdd2142d84eecd4631380e
SHA1ceb39ba4c291892fa8a1183964f2e53174752a29
SHA2569f8c603de8d5e34ca9f4a1ecc250172e43f349f4fa00049e7173c391050be8fe
SHA5127a56bc8543f092c5a7b81c539c5d10d47709658520743b951ed838547a2b10b16d52424ec45ebcc6fba22c1a8abcfb69c32132b6168ebe678f4bab94b3ffd120
-
memory/588-59-0x0000000000000000-mapping.dmp
-
memory/1656-57-0x0000000004900000-0x000000000496C000-memory.dmpFilesize
432KB
-
memory/1656-54-0x0000000000DC0000-0x0000000000E5E000-memory.dmpFilesize
632KB
-
memory/1656-58-0x0000000004DB0000-0x0000000004E0A000-memory.dmpFilesize
360KB
-
memory/1656-56-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB
-
memory/1656-55-0x0000000075A61000-0x0000000075A63000-memory.dmpFilesize
8KB
-
memory/1948-61-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1948-62-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1948-64-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1948-65-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1948-66-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1948-67-0x000000000045480E-mapping.dmp
-
memory/1948-69-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1948-71-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB