Overview

overview

10

Static

static

EST PDA MV...AN.exe

windows7_x64

10

EST PDA MV...AN.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    112s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EST PDA MV. TBN CALL TO CIWANDAN.exe

  • Size

    783KB

  • MD5

    4ef647613fe0cc757fe535d46a4763d7

  • SHA1

    868774d67042162ea7539715f8cee34bd41eb4da

  • SHA256

    37677fa0c9255eb7368ce3d54a42e2b3e23eff33c6e2008406d9f32a71b565b8

  • SHA512

    d021f6c9843a64ed759a120c1e0403d7d3b1e62b0c7d59f6af235ccd02d4b7393b33cfc944f69bc9c9d569069ad9bfc18cdeab8fd07179dba4febe1641a3866c

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.wasaka-shippinq.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    0pzZqCz8!+%u

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EST PDA MV. TBN CALL TO CIWANDAN.exe
    "C:\Users\Admin\AppData\Local\Temp\EST PDA MV. TBN CALL TO CIWANDAN.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FgjUZKbTJrmxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3476
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:256
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
          PID:176
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          2⤵
          • Drops file in Drivers directory
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:220

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmp
        Filesize

        1KB

        MD5

        2329f711efa3909d6052969d81a40e39

        SHA1

        97fdc64fb479f1c6960e50ccacaa1ff88a67d119

        SHA256

        f5b4df085137e0be359ffa1b3e0f623f7cf9df40a4e8b8197eab658da2481221

        SHA512

        e0a3c5dd510f192dd4ca8d9fb3717a21eb7fc3fd1c001f931c15d66d572903678bf1173bb775b496cd0c751db55ebc976b9183b59cde08bff12337c6840b9e78

        Download Submit
      • memory/176-137-0x0000000000000000-mapping.dmp
        Download
      • memory/220-142-0x00000000063F0000-0x00000000063FA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/220-141-0x0000000006540000-0x0000000006590000-memory.dmp
        Filesize

        320KB

        Download
      • memory/220-140-0x0000000005DD0000-0x0000000005E36000-memory.dmp
        Filesize

        408KB

        Download
      • memory/220-139-0x0000000000400000-0x0000000000466000-memory.dmp
        Filesize

        408KB

        Download
      • memory/220-138-0x0000000000000000-mapping.dmp
        Download
      • memory/256-136-0x0000000000000000-mapping.dmp
        Download
      • memory/3476-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4408-130-0x0000000000E50000-0x0000000000F1A000-memory.dmp
        Filesize

        808KB

        Download
      • memory/4408-133-0x0000000006550000-0x00000000065EC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4408-132-0x0000000005940000-0x00000000059D2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4408-131-0x0000000005E50000-0x00000000063F4000-memory.dmp
        Filesize

        5.6MB

        Download