Analysis
-
max time kernel
112s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:07
Static task
static1
Behavioral task
behavioral1
Sample
Letter.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Letter.exe
Resource
win10v2004-20220414-en
General
-
Target
Letter.exe
-
Size
581KB
-
MD5
6b1a709c8884accc0ba410ef9413a04c
-
SHA1
bb80dad1518cd8d7bb912b74bcf01c927b45394a
-
SHA256
439ed702b9700b4bd7ec8877db8d90820176cd183cb888c8be9b14267d3581cc
-
SHA512
309ef31c93845a36060bd4b69a3d7cfc79bebb518530371846165a49c7dc74069777c09067d3406ee2cb3de94494c8ff31b8ffdeb54f0cd4c6088b6cd6fc16c7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gayaceramic.com - Port:
587 - Username:
[email protected] - Password:
2019gaya
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/524-64-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/524-65-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/524-67-0x000000000045437E-mapping.dmp family_agenttesla behavioral1/memory/524-66-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/524-69-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/524-71-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Letter.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Letter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Letter.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Letter.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Letter.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Letter.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Letter.exedescription pid process target process PID 1684 set thread context of 524 1684 Letter.exe Letter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Letter.exepid process 524 Letter.exe 524 Letter.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Letter.exedescription pid process Token: SeDebugPrivilege 524 Letter.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Letter.exedescription pid process target process PID 1684 wrote to memory of 696 1684 Letter.exe schtasks.exe PID 1684 wrote to memory of 696 1684 Letter.exe schtasks.exe PID 1684 wrote to memory of 696 1684 Letter.exe schtasks.exe PID 1684 wrote to memory of 696 1684 Letter.exe schtasks.exe PID 1684 wrote to memory of 524 1684 Letter.exe Letter.exe PID 1684 wrote to memory of 524 1684 Letter.exe Letter.exe PID 1684 wrote to memory of 524 1684 Letter.exe Letter.exe PID 1684 wrote to memory of 524 1684 Letter.exe Letter.exe PID 1684 wrote to memory of 524 1684 Letter.exe Letter.exe PID 1684 wrote to memory of 524 1684 Letter.exe Letter.exe PID 1684 wrote to memory of 524 1684 Letter.exe Letter.exe PID 1684 wrote to memory of 524 1684 Letter.exe Letter.exe PID 1684 wrote to memory of 524 1684 Letter.exe Letter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Letter.exe"C:\Users\Admin\AppData\Local\Temp\Letter.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hWFpUZAPSDgj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1305.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Letter.exe"C:\Users\Admin\AppData\Local\Temp\Letter.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1305.tmpFilesize
1KB
MD5e3d48bbe48f978fc920c804fe86905cf
SHA1a875d61bea048bfe55c807491521f7cafc6b1254
SHA256b82f9d5c062534910afaa6490e9ad3631119058e4a6a755f6b90ae5b20fab31f
SHA512a8b8841346d5a980b5452f8e8d5588eb207dac6408ebd384dd44b037e785bcbc5488aa8b0731557955ecc7303565b1e74c9a902d62d41fab220b982d33ab10c4
-
memory/524-64-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/524-67-0x000000000045437E-mapping.dmp
-
memory/524-71-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/524-69-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/524-66-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/524-65-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/524-61-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/524-62-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/696-59-0x0000000000000000-mapping.dmp
-
memory/1684-54-0x0000000000DF0000-0x0000000000E88000-memory.dmpFilesize
608KB
-
memory/1684-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1684-56-0x0000000000630000-0x0000000000642000-memory.dmpFilesize
72KB
-
memory/1684-58-0x00000000080F0000-0x000000000814A000-memory.dmpFilesize
360KB
-
memory/1684-57-0x0000000007F50000-0x0000000007FC2000-memory.dmpFilesize
456KB