Analysis
-
max time kernel
94s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:40
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
SOA.exe
-
Size
488KB
-
MD5
5e60ef56b469a00033010400dfd0b8a8
-
SHA1
32995e5ad69e62e01512bbc90c163f1c7f1a8805
-
SHA256
7da5b2a2701aa912c1e3b5d76bc926d9a446e6fcbd965bf2781d4653cc453d47
-
SHA512
de95f417bb3fca636c52f12740324d57e6831a3bb94672b0cfe508db85eff2f2be6564fbafd76aa91809dce612bbb78f110f394ac859f44228838fa208eeb6de
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.rajapindah.com - Port:
587 - Username:
[email protected] - Password:
#r4j#citeureup#13
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5008-136-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA.exedescription pid process target process PID 4652 set thread context of 5008 4652 SOA.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2056 5008 WerFault.exe RegSvcs.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 5008 RegSvcs.exe 5008 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 5008 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SOA.exeRegSvcs.exedescription pid process target process PID 4652 wrote to memory of 5008 4652 SOA.exe RegSvcs.exe PID 4652 wrote to memory of 5008 4652 SOA.exe RegSvcs.exe PID 4652 wrote to memory of 5008 4652 SOA.exe RegSvcs.exe PID 4652 wrote to memory of 5008 4652 SOA.exe RegSvcs.exe PID 4652 wrote to memory of 5008 4652 SOA.exe RegSvcs.exe PID 4652 wrote to memory of 5008 4652 SOA.exe RegSvcs.exe PID 4652 wrote to memory of 5008 4652 SOA.exe RegSvcs.exe PID 4652 wrote to memory of 5008 4652 SOA.exe RegSvcs.exe PID 5008 wrote to memory of 4568 5008 RegSvcs.exe REG.exe PID 5008 wrote to memory of 4568 5008 RegSvcs.exe REG.exe PID 5008 wrote to memory of 4568 5008 RegSvcs.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 15323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5008 -ip 50081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4568-138-0x0000000000000000-mapping.dmp
-
memory/4652-130-0x00000000002F0000-0x0000000000370000-memory.dmpFilesize
512KB
-
memory/4652-131-0x0000000005380000-0x0000000005924000-memory.dmpFilesize
5.6MB
-
memory/4652-132-0x0000000004D00000-0x0000000004D92000-memory.dmpFilesize
584KB
-
memory/4652-133-0x0000000004DD0000-0x0000000004DDA000-memory.dmpFilesize
40KB
-
memory/4652-134-0x00000000086B0000-0x000000000874C000-memory.dmpFilesize
624KB
-
memory/5008-135-0x0000000000000000-mapping.dmp
-
memory/5008-136-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/5008-137-0x00000000066D0000-0x0000000006736000-memory.dmpFilesize
408KB
-
memory/5008-139-0x0000000006D60000-0x0000000006DB0000-memory.dmpFilesize
320KB