Analysis
-
max time kernel
112s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:40
Static task
static1
Behavioral task
behavioral1
Sample
EST PDA MV. TBN CALL TO CIWANDAN.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
EST PDA MV. TBN CALL TO CIWANDAN.exe
Resource
win10v2004-20220414-en
General
-
Target
EST PDA MV. TBN CALL TO CIWANDAN.exe
-
Size
783KB
-
MD5
4ef647613fe0cc757fe535d46a4763d7
-
SHA1
868774d67042162ea7539715f8cee34bd41eb4da
-
SHA256
37677fa0c9255eb7368ce3d54a42e2b3e23eff33c6e2008406d9f32a71b565b8
-
SHA512
d021f6c9843a64ed759a120c1e0403d7d3b1e62b0c7d59f6af235ccd02d4b7393b33cfc944f69bc9c9d569069ad9bfc18cdeab8fd07179dba4febe1641a3866c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.wasaka-shippinq.com - Port:
587 - Username:
[email protected] - Password:
0pzZqCz8!+%u
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/220-139-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
EST PDA MV. TBN CALL TO CIWANDAN.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation EST PDA MV. TBN CALL TO CIWANDAN.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
EST PDA MV. TBN CALL TO CIWANDAN.exedescription pid process target process PID 4408 set thread context of 220 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
EST PDA MV. TBN CALL TO CIWANDAN.exeRegSvcs.exepid process 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe 220 RegSvcs.exe 220 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EST PDA MV. TBN CALL TO CIWANDAN.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe Token: SeDebugPrivilege 220 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EST PDA MV. TBN CALL TO CIWANDAN.exedescription pid process target process PID 4408 wrote to memory of 3476 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe schtasks.exe PID 4408 wrote to memory of 3476 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe schtasks.exe PID 4408 wrote to memory of 3476 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe schtasks.exe PID 4408 wrote to memory of 256 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 256 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 256 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 176 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 176 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 176 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 220 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 220 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 220 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 220 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 220 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 220 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 220 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe PID 4408 wrote to memory of 220 4408 EST PDA MV. TBN CALL TO CIWANDAN.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EST PDA MV. TBN CALL TO CIWANDAN.exe"C:\Users\Admin\AppData\Local\Temp\EST PDA MV. TBN CALL TO CIWANDAN.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FgjUZKbTJrmxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmpFilesize
1KB
MD52329f711efa3909d6052969d81a40e39
SHA197fdc64fb479f1c6960e50ccacaa1ff88a67d119
SHA256f5b4df085137e0be359ffa1b3e0f623f7cf9df40a4e8b8197eab658da2481221
SHA512e0a3c5dd510f192dd4ca8d9fb3717a21eb7fc3fd1c001f931c15d66d572903678bf1173bb775b496cd0c751db55ebc976b9183b59cde08bff12337c6840b9e78
-
memory/176-137-0x0000000000000000-mapping.dmp
-
memory/220-142-0x00000000063F0000-0x00000000063FA000-memory.dmpFilesize
40KB
-
memory/220-141-0x0000000006540000-0x0000000006590000-memory.dmpFilesize
320KB
-
memory/220-140-0x0000000005DD0000-0x0000000005E36000-memory.dmpFilesize
408KB
-
memory/220-139-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/220-138-0x0000000000000000-mapping.dmp
-
memory/256-136-0x0000000000000000-mapping.dmp
-
memory/3476-134-0x0000000000000000-mapping.dmp
-
memory/4408-130-0x0000000000E50000-0x0000000000F1A000-memory.dmpFilesize
808KB
-
memory/4408-133-0x0000000006550000-0x00000000065EC000-memory.dmpFilesize
624KB
-
memory/4408-132-0x0000000005940000-0x00000000059D2000-memory.dmpFilesize
584KB
-
memory/4408-131-0x0000000005E50000-0x00000000063F4000-memory.dmpFilesize
5.6MB