Analysis
-
max time kernel
151s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:32
Static task
static1
Behavioral task
behavioral1
Sample
PROFILE.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PROFILE.exe
Resource
win10v2004-20220414-en
General
-
Target
PROFILE.exe
-
Size
453KB
-
MD5
0730a8b1cadc7b07bd0a7fbe57437939
-
SHA1
424eea095b6b46cc0d3d6812b85230308b672ce7
-
SHA256
ceb7dc735aad69ceaa69d7353b2364bbaf2ccd69176707bdc0d7c38f27e326b4
-
SHA512
563f6e6e58938730f68af98b0fdc7e7f079ff85222a4db9270bbc5ddf2a4f6ae607fdd271048443b0d9c5a48ba5c53e0928d515437a10d715a7d7deef9b98bec
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
OneDay@time
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/696-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/696-64-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/696-65-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/696-66-0x0000000000446ADE-mapping.dmp family_agenttesla behavioral1/memory/696-68-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/696-70-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFILE.exedescription pid process target process PID 1660 set thread context of 696 1660 PROFILE.exe PROFILE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PROFILE.exePROFILE.exepid process 1660 PROFILE.exe 1660 PROFILE.exe 696 PROFILE.exe 696 PROFILE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PROFILE.exePROFILE.exedescription pid process Token: SeDebugPrivilege 1660 PROFILE.exe Token: SeDebugPrivilege 696 PROFILE.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PROFILE.exedescription pid process target process PID 1660 wrote to memory of 1220 1660 PROFILE.exe schtasks.exe PID 1660 wrote to memory of 1220 1660 PROFILE.exe schtasks.exe PID 1660 wrote to memory of 1220 1660 PROFILE.exe schtasks.exe PID 1660 wrote to memory of 1220 1660 PROFILE.exe schtasks.exe PID 1660 wrote to memory of 2004 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 2004 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 2004 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 2004 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 696 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 696 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 696 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 696 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 696 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 696 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 696 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 696 1660 PROFILE.exe PROFILE.exe PID 1660 wrote to memory of 696 1660 PROFILE.exe PROFILE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RLgpeSlz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A5A.tmp"2⤵
- Creates scheduled task(s)
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"{path}"2⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4A5A.tmpFilesize
1KB
MD5f0cd82e9589ea4b55c9a1b4783e56c55
SHA1f2ce435098eef47cb3968f6990f9c718cff0d118
SHA2565cd2d96ab9510914ebd344adf52201eb94898a1b195a14fa51c2d70424fdc893
SHA512257cc18e6ee60c90c25ff71a7d502e643aa54d905bc7e4d0193c909b1834a34e116c942eac18df75e882051d0e059a0f5b7d58a17137f123b9bd8db934330348
-
memory/696-64-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-60-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-65-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-66-0x0000000000446ADE-mapping.dmp
-
memory/696-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-70-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1220-58-0x0000000000000000-mapping.dmp
-
memory/1660-56-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/1660-57-0x0000000004210000-0x0000000004264000-memory.dmpFilesize
336KB
-
memory/1660-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1660-54-0x0000000000AE0000-0x0000000000B58000-memory.dmpFilesize
480KB