Analysis
-
max time kernel
151s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:17
Static task
static1
Behavioral task
behavioral1
Sample
dar.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
dar.exe
Resource
win10v2004-20220414-en
General
-
Target
dar.exe
-
Size
535KB
-
MD5
a34f16774efd878af58828fdbfdc9d90
-
SHA1
022ea1acccd4bd60b2e4155d38af6492728d9d8f
-
SHA256
e4d8083ef442c5a9a0daa9bdd5e86b685cdd47a1c233f35393df55aba4acddbb
-
SHA512
4e54b9f48c5f9faa68d97f8d36c5e1a455725fb8a948f4db5cab82a983df5c03ad7486098c0559a3eaffd4fc916d05aee398013769905f7ef461929a45c122f8
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sbrenind.com - Port:
587 - Username:
[email protected] - Password:
Wiremoney123.
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4004-139-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dar.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation dar.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dar.exedescription pid process target process PID 3048 set thread context of 4004 3048 dar.exe dar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
dar.exedar.exepid process 3048 dar.exe 3048 dar.exe 4004 dar.exe 4004 dar.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dar.exedar.exedescription pid process Token: SeDebugPrivilege 3048 dar.exe Token: SeDebugPrivilege 4004 dar.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
dar.exedescription pid process target process PID 3048 wrote to memory of 512 3048 dar.exe schtasks.exe PID 3048 wrote to memory of 512 3048 dar.exe schtasks.exe PID 3048 wrote to memory of 512 3048 dar.exe schtasks.exe PID 3048 wrote to memory of 4696 3048 dar.exe dar.exe PID 3048 wrote to memory of 4696 3048 dar.exe dar.exe PID 3048 wrote to memory of 4696 3048 dar.exe dar.exe PID 3048 wrote to memory of 4004 3048 dar.exe dar.exe PID 3048 wrote to memory of 4004 3048 dar.exe dar.exe PID 3048 wrote to memory of 4004 3048 dar.exe dar.exe PID 3048 wrote to memory of 4004 3048 dar.exe dar.exe PID 3048 wrote to memory of 4004 3048 dar.exe dar.exe PID 3048 wrote to memory of 4004 3048 dar.exe dar.exe PID 3048 wrote to memory of 4004 3048 dar.exe dar.exe PID 3048 wrote to memory of 4004 3048 dar.exe dar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dar.exe"C:\Users\Admin\AppData\Local\Temp\dar.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neHYJSQZu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AA0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\dar.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\dar.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dar.exe.logFilesize
685B
MD564f7d1001f1b3c983776387519079574
SHA19696fb5ffd5597c12fc1ca6bcb7fe889f8cc9c2c
SHA256b7724fa480f240bb6e0131973d0f085d5fb0865677f277a2a306f4fa89c89485
SHA512bf81147d1a43290c845f788fbe633bf0ae8abff31a342b0278e525fdf65bd5294e797b3a11f375027e5b2c42d224459583d5a0e753f563d5034d4d7653d39eba
-
C:\Users\Admin\AppData\Local\Temp\tmp4AA0.tmpFilesize
1KB
MD5216d4b0ded7adbd04d2ee6ab2c17c911
SHA1fb69acce58d3f46f7c44579e7dce991f2d8117b2
SHA256cf960d4d741c101b566c04dc578e8a318507b1a0d73d80203732da2044655df4
SHA512a2e2bb8130eabbdbb381e8c1e45f085ce587ddea7952e977c1f75c5522e81c5610b379625cd822d57f264ac97e58c676e378ce8d8180d0dc0548ecff33a146fa
-
memory/512-135-0x0000000000000000-mapping.dmp
-
memory/3048-130-0x0000000000D40000-0x0000000000DCC000-memory.dmpFilesize
560KB
-
memory/3048-131-0x0000000005E70000-0x0000000006414000-memory.dmpFilesize
5.6MB
-
memory/3048-132-0x0000000005770000-0x0000000005802000-memory.dmpFilesize
584KB
-
memory/3048-133-0x00000000065B0000-0x0000000006736000-memory.dmpFilesize
1.5MB
-
memory/3048-134-0x0000000005CF0000-0x0000000005D8C000-memory.dmpFilesize
624KB
-
memory/4004-138-0x0000000000000000-mapping.dmp
-
memory/4004-139-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4004-141-0x00000000063C0000-0x0000000006426000-memory.dmpFilesize
408KB
-
memory/4696-137-0x0000000000000000-mapping.dmp