Analysis
-
max time kernel
125s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:31
General
-
Target
5X40ft Containers.exe
-
Size
447KB
-
MD5
21392c35fff25aa5aca7dd5b38d07db3
-
SHA1
110c61ea53ecc080b4871b348f4a524ae8723d89
-
SHA256
cebc844f3daddf87ea7763dafad1989b62052fe2264a4eb2ed9438e67789bc72
-
SHA512
bdb0501766036cc598350d7450ecf7903881e810e5b8067c0ac723ac665e8570d24ea3094a339dbc01bcb0658b21a36e59553ae3bf4c9c960d756ad1377b60ee
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5X40ft Containers.exe"C:\Users\Admin\AppData\Local\Temp\5X40ft Containers.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ptaHdfRIQpTl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE00.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBE00.tmpFilesize
1KB
MD507e7cd756ba29b05b7fca8687f580e18
SHA135ab750f874d29c6ead86e44b71fb196bb0526b8
SHA2567f777175fd289ebf42ba1e1aaa44b889d99097ba636a3ceb5802673735ce2839
SHA51298b541d659f330ca8cd8dbbf4e260469f4fcbc5dfe8df0f921703ad1fc4548f3fd1a28d923b956b27d4f8eae591ad6e80d88b3c1811941feb2908bc51476c136
-
memory/2060-134-0x0000000000000000-mapping.dmp
-
memory/2468-136-0x0000000000000000-mapping.dmp
-
memory/2468-137-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2468-138-0x00000000065B0000-0x0000000006616000-memory.dmpFilesize
408KB
-
memory/2468-139-0x0000000006C40000-0x0000000006C90000-memory.dmpFilesize
320KB
-
memory/2468-140-0x0000000006C30000-0x0000000006C3A000-memory.dmpFilesize
40KB
-
memory/4528-130-0x0000000000800000-0x0000000000876000-memory.dmpFilesize
472KB
-
memory/4528-131-0x0000000005260000-0x00000000052FC000-memory.dmpFilesize
624KB
-
memory/4528-132-0x00000000055D0000-0x0000000005662000-memory.dmpFilesize
584KB
-
memory/4528-133-0x0000000006100000-0x00000000066A4000-memory.dmpFilesize
5.6MB