Analysis
-
max time kernel
143s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:24
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO.exe
Resource
win10v2004-20220414-en
General
-
Target
PO.exe
-
Size
474KB
-
MD5
bbcf7d3c452a1f979cebfdbb7ef6220a
-
SHA1
35cdbbcc31606bc42702fda23292afb3a6f4be23
-
SHA256
b8214924a598b9fd3193099fecd6c3d09f06dc5e3a9af098642c7d5327c05cd3
-
SHA512
2fb4bd3808ba1681363c56b5e47013f6c8938ee07e3cb6e2d7fab2a89a4f6aacdf4b6adb889c3554b96e4a03e69ed7f6b9d5ae0c74a05021c8e92b60f98bbb3c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.microtechlab.in - Port:
587 - Username:
[email protected] - Password:
pune@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1316-63-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1316-64-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1316-65-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1316-66-0x000000000044CF5E-mapping.dmp family_agenttesla behavioral1/memory/1316-68-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1316-70-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1364-57-0x0000000004670000-0x00000000046C8000-memory.dmp rezer0 -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 1364 set thread context of 1316 1364 PO.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PO.exeRegSvcs.exepid process 1364 PO.exe 1316 RegSvcs.exe 1316 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1364 PO.exe Token: SeDebugPrivilege 1316 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
PO.exeRegSvcs.exedescription pid process target process PID 1364 wrote to memory of 1704 1364 PO.exe schtasks.exe PID 1364 wrote to memory of 1704 1364 PO.exe schtasks.exe PID 1364 wrote to memory of 1704 1364 PO.exe schtasks.exe PID 1364 wrote to memory of 1704 1364 PO.exe schtasks.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1364 wrote to memory of 1316 1364 PO.exe RegSvcs.exe PID 1316 wrote to memory of 1632 1316 RegSvcs.exe REG.exe PID 1316 wrote to memory of 1632 1316 RegSvcs.exe REG.exe PID 1316 wrote to memory of 1632 1316 RegSvcs.exe REG.exe PID 1316 wrote to memory of 1632 1316 RegSvcs.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LKptDWYQbOOY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7E2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC7E2.tmpFilesize
1KB
MD565f83a92e9942d0f43285eecbf589b85
SHA1ee1c25a45be5569e77dab39417a4b77448a9ffda
SHA256148729256045ae624d2c1dc8b00b818cc06733b120affaaa86910e617ceb60ad
SHA512b6ba02b756639b289445735db9a4bb4616526b79fb32f0d6cdc14ad04816d468fb4bf24d54c3bd095dd32954938a934b9364b825e1f00b6f4f006a32de7e25f0
-
memory/1316-64-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1316-66-0x000000000044CF5E-mapping.dmp
-
memory/1316-70-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1316-68-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1316-65-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1316-60-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1316-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1316-63-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1364-54-0x0000000000EB0000-0x0000000000F2C000-memory.dmpFilesize
496KB
-
memory/1364-55-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/1364-56-0x0000000000600000-0x0000000000610000-memory.dmpFilesize
64KB
-
memory/1364-57-0x0000000004670000-0x00000000046C8000-memory.dmpFilesize
352KB
-
memory/1632-72-0x0000000000000000-mapping.dmp
-
memory/1704-58-0x0000000000000000-mapping.dmp