Analysis

  • max time kernel
    116s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 23:37

General

  • Target

    POewWa3MHHx83.exe

  • Size

    646KB

  • MD5

    8e819fb39a348253d262fbb8304efb41

  • SHA1

    9b84fd1eb519c43c80f840b784c5c092721958b9

  • SHA256

    434697235faf9c70e317884f73881d5a2c0d4ea353641e65a95bb8a3c9fadce5

  • SHA512

    ca89a91100b9f140a795cb65dfb6cabadc71938e69cde2a1e72229b34b50a485b57e44482bf26dfbaa65870d8ae021babf305717cd0cbc9b48ba71bc6576504e

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mrshelp23409@!!#

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 6 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\POewWa3MHHx83.exe
    "C:\Users\Admin\AppData\Local\Temp\POewWa3MHHx83.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LkBuJewArzm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E3C.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2032
    • C:\Users\Admin\AppData\Local\Temp\POewWa3MHHx83.exe
      "{path}"
      2⤵
      • Drops file in Drivers directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:808

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8E3C.tmp

    Filesize

    1KB

    MD5

    fdc6c43cb974a88b834f9abd23384b45

    SHA1

    20ecbd67c0eb7a4bd9eab1f3d83a62d1a7f60579

    SHA256

    3673718ee2cb408b554594089852a457be8188ea360f8d65fc72ad835f2f9591

    SHA512

    42d644b560eb2e5a44fcab67210d850d4d37154814b273935c1e9d06b9f814ad6d7a05d9978829b34c023d079f8e8dffe102d8a52be580440f1f2e91c72f4238

  • memory/808-64-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/808-60-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/808-61-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/808-63-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/808-66-0x000000000044B1CE-mapping.dmp

  • memory/808-65-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/808-68-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/808-70-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/1236-56-0x0000000004430000-0x0000000004488000-memory.dmp

    Filesize

    352KB

  • memory/1236-57-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

    Filesize

    8KB

  • memory/1236-55-0x00000000004A0000-0x00000000004A8000-memory.dmp

    Filesize

    32KB

  • memory/1236-54-0x00000000008A0000-0x0000000000946000-memory.dmp

    Filesize

    664KB

  • memory/2032-58-0x0000000000000000-mapping.dmp