Analysis
-
max time kernel
160s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:30
Static task
static1
Behavioral task
behavioral1
Sample
Part List_bidding.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Part List_bidding.exe
Resource
win10v2004-20220414-en
General
-
Target
Part List_bidding.exe
-
Size
565KB
-
MD5
36233073fcb133255abb10ea7e1b9040
-
SHA1
3fc69e192828bea7a37e16d477df63ee53d9ef85
-
SHA256
61f179ab9d877a4089f3a2e21db9d62537a9181fe6f58ba81a9eb2b0c45ac3a5
-
SHA512
c4da1a0a5a482a5b555168ef725f4c802640d997e641c35bbac2004251fb89d81e067c7e7ac3c87382496f6924f477e7c9fb58676ec451892bb3bb2cdf4dbc5e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
1104780540cuome@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2384-138-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Part List_bidding.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Part List_bidding.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Part List_bidding.exedescription pid process target process PID 3908 set thread context of 2384 3908 Part List_bidding.exe Part List_bidding.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Part List_bidding.exePart List_bidding.exepid process 3908 Part List_bidding.exe 3908 Part List_bidding.exe 3908 Part List_bidding.exe 2384 Part List_bidding.exe 2384 Part List_bidding.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Part List_bidding.exePart List_bidding.exedescription pid process Token: SeDebugPrivilege 3908 Part List_bidding.exe Token: SeDebugPrivilege 2384 Part List_bidding.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Part List_bidding.exedescription pid process target process PID 3908 wrote to memory of 1548 3908 Part List_bidding.exe schtasks.exe PID 3908 wrote to memory of 1548 3908 Part List_bidding.exe schtasks.exe PID 3908 wrote to memory of 1548 3908 Part List_bidding.exe schtasks.exe PID 3908 wrote to memory of 2384 3908 Part List_bidding.exe Part List_bidding.exe PID 3908 wrote to memory of 2384 3908 Part List_bidding.exe Part List_bidding.exe PID 3908 wrote to memory of 2384 3908 Part List_bidding.exe Part List_bidding.exe PID 3908 wrote to memory of 2384 3908 Part List_bidding.exe Part List_bidding.exe PID 3908 wrote to memory of 2384 3908 Part List_bidding.exe Part List_bidding.exe PID 3908 wrote to memory of 2384 3908 Part List_bidding.exe Part List_bidding.exe PID 3908 wrote to memory of 2384 3908 Part List_bidding.exe Part List_bidding.exe PID 3908 wrote to memory of 2384 3908 Part List_bidding.exe Part List_bidding.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Part List_bidding.exe"C:\Users\Admin\AppData\Local\Temp\Part List_bidding.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LOGlDb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB3A.tmp"2⤵
- Creates scheduled task(s)
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\Part List_bidding.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCB3A.tmpFilesize
1KB
MD5afbfead3bf7e27b90e748a1a4ad6957f
SHA1235123c4b559af15516c77f93cd99165dafb58c5
SHA256f5ecd3ab55d4545bc5003e0269a4f10655a661fc8f1374cb218492456898f28f
SHA512ed2ca90700bf4991c73fc95e4e80dd3e9eeb7102ab257e7b48cdd8a4730117e570da1863ed3ce7d5f951a045392500084590bbf454819e033a27c120d3696346
-
memory/1548-135-0x0000000000000000-mapping.dmp
-
memory/2384-137-0x0000000000000000-mapping.dmp
-
memory/2384-138-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3908-130-0x00000000001D0000-0x0000000000264000-memory.dmpFilesize
592KB
-
memory/3908-131-0x00000000051E0000-0x0000000005784000-memory.dmpFilesize
5.6MB
-
memory/3908-132-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/3908-133-0x0000000005030000-0x000000000503A000-memory.dmpFilesize
40KB
-
memory/3908-134-0x0000000008640000-0x00000000086DC000-memory.dmpFilesize
624KB