Analysis
-
max time kernel
151s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:32
General
-
Target
PROFILE.exe
-
Size
453KB
-
MD5
0730a8b1cadc7b07bd0a7fbe57437939
-
SHA1
424eea095b6b46cc0d3d6812b85230308b672ce7
-
SHA256
ceb7dc735aad69ceaa69d7353b2364bbaf2ccd69176707bdc0d7c38f27e326b4
-
SHA512
563f6e6e58938730f68af98b0fdc7e7f079ff85222a4db9270bbc5ddf2a4f6ae607fdd271048443b0d9c5a48ba5c53e0928d515437a10d715a7d7deef9b98bec
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
OneDay@time
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RLgpeSlz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A5A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\PROFILE.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4A5A.tmpFilesize
1KB
MD5f0cd82e9589ea4b55c9a1b4783e56c55
SHA1f2ce435098eef47cb3968f6990f9c718cff0d118
SHA2565cd2d96ab9510914ebd344adf52201eb94898a1b195a14fa51c2d70424fdc893
SHA512257cc18e6ee60c90c25ff71a7d502e643aa54d905bc7e4d0193c909b1834a34e116c942eac18df75e882051d0e059a0f5b7d58a17137f123b9bd8db934330348
-
memory/696-64-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-60-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-65-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-66-0x0000000000446ADE-mapping.dmp
-
memory/696-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/696-70-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1220-58-0x0000000000000000-mapping.dmp
-
memory/1660-56-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/1660-57-0x0000000004210000-0x0000000004264000-memory.dmpFilesize
336KB
-
memory/1660-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1660-54-0x0000000000AE0000-0x0000000000B58000-memory.dmpFilesize
480KB