Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:24
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO.exe
Resource
win10v2004-20220414-en
General
-
Target
PO.exe
-
Size
474KB
-
MD5
bbcf7d3c452a1f979cebfdbb7ef6220a
-
SHA1
35cdbbcc31606bc42702fda23292afb3a6f4be23
-
SHA256
b8214924a598b9fd3193099fecd6c3d09f06dc5e3a9af098642c7d5327c05cd3
-
SHA512
2fb4bd3808ba1681363c56b5e47013f6c8938ee07e3cb6e2d7fab2a89a4f6aacdf4b6adb889c3554b96e4a03e69ed7f6b9d5ae0c74a05021c8e92b60f98bbb3c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.microtechlab.in - Port:
587 - Username:
[email protected] - Password:
pune@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2276-139-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation PO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 2288 set thread context of 2276 2288 PO.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2740 2276 WerFault.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
PO.exeRegSvcs.exepid process 2288 PO.exe 2288 PO.exe 2288 PO.exe 2276 RegSvcs.exe 2276 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2288 PO.exe Token: SeDebugPrivilege 2276 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
PO.exeRegSvcs.exedescription pid process target process PID 2288 wrote to memory of 2576 2288 PO.exe schtasks.exe PID 2288 wrote to memory of 2576 2288 PO.exe schtasks.exe PID 2288 wrote to memory of 2576 2288 PO.exe schtasks.exe PID 2288 wrote to memory of 2268 2288 PO.exe RegSvcs.exe PID 2288 wrote to memory of 2268 2288 PO.exe RegSvcs.exe PID 2288 wrote to memory of 2268 2288 PO.exe RegSvcs.exe PID 2288 wrote to memory of 2276 2288 PO.exe RegSvcs.exe PID 2288 wrote to memory of 2276 2288 PO.exe RegSvcs.exe PID 2288 wrote to memory of 2276 2288 PO.exe RegSvcs.exe PID 2288 wrote to memory of 2276 2288 PO.exe RegSvcs.exe PID 2288 wrote to memory of 2276 2288 PO.exe RegSvcs.exe PID 2288 wrote to memory of 2276 2288 PO.exe RegSvcs.exe PID 2288 wrote to memory of 2276 2288 PO.exe RegSvcs.exe PID 2288 wrote to memory of 2276 2288 PO.exe RegSvcs.exe PID 2276 wrote to memory of 3392 2276 RegSvcs.exe REG.exe PID 2276 wrote to memory of 3392 2276 RegSvcs.exe REG.exe PID 2276 wrote to memory of 3392 2276 RegSvcs.exe REG.exe PID 2276 wrote to memory of 4512 2276 RegSvcs.exe netsh.exe PID 2276 wrote to memory of 4512 2276 RegSvcs.exe netsh.exe PID 2276 wrote to memory of 4512 2276 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LKptDWYQbOOY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E8F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 15523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2276 -ip 22761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3E8F.tmpFilesize
1KB
MD5203220b4431a3e4d760cc2c151e22a60
SHA199114a2f9f04c821aaff58b2f5c57c52df93b7c0
SHA256c5121596860b0ddbe794ffb91bf593be07900f99984af56b23aeac7704f65f50
SHA512295d7f8a378f91801f309d4c2a12c73a82726776e9c8ca91a377322b78c18f428372f173fa27781b36b70ae3a94e0073626d83ac0072000618cb2a30273cc386
-
memory/2268-137-0x0000000000000000-mapping.dmp
-
memory/2276-139-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2276-138-0x0000000000000000-mapping.dmp
-
memory/2276-140-0x00000000058C0000-0x0000000005926000-memory.dmpFilesize
408KB
-
memory/2276-142-0x00000000063E0000-0x0000000006430000-memory.dmpFilesize
320KB
-
memory/2288-133-0x0000000004F40000-0x0000000004F4A000-memory.dmpFilesize
40KB
-
memory/2288-134-0x0000000008A20000-0x0000000008ABC000-memory.dmpFilesize
624KB
-
memory/2288-132-0x0000000004F50000-0x0000000004FE2000-memory.dmpFilesize
584KB
-
memory/2288-131-0x0000000005420000-0x00000000059C4000-memory.dmpFilesize
5.6MB
-
memory/2288-130-0x0000000000510000-0x000000000058C000-memory.dmpFilesize
496KB
-
memory/2576-135-0x0000000000000000-mapping.dmp
-
memory/3392-141-0x0000000000000000-mapping.dmp
-
memory/4512-143-0x0000000000000000-mapping.dmp