Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:27
Static task
static1
Behavioral task
behavioral1
Sample
20200809.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
20200809.exe
Resource
win10v2004-20220414-en
General
-
Target
20200809.exe
-
Size
544KB
-
MD5
ed7115dfa3d1f7a20cc3e535fcfe10c1
-
SHA1
01b951c89c725eff619c94fbaff756ca08fe1232
-
SHA256
8ccf13e8e912fa0378988047e8dfdd3cf6f92f760c09745d841cf1f3971d506f
-
SHA512
641cec39c215a4352b910524484dbc6f1341c3760757fcbf936ff382ce6db7c3070a9241c5f9f3aa564eef527b95123f205f380007318f4d5f981625093a412c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.epak-de.com - Port:
587 - Username:
[email protected] - Password:
tanga333
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2044-134-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
20200809.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 20200809.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
20200809.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20200809.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20200809.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20200809.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
20200809.exedescription pid process target process PID 1464 set thread context of 2044 1464 20200809.exe 20200809.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
20200809.exepid process 2044 20200809.exe 2044 20200809.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
20200809.exedescription pid process Token: SeDebugPrivilege 2044 20200809.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
20200809.exepid process 2044 20200809.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
20200809.exedescription pid process target process PID 1464 wrote to memory of 220 1464 20200809.exe schtasks.exe PID 1464 wrote to memory of 220 1464 20200809.exe schtasks.exe PID 1464 wrote to memory of 220 1464 20200809.exe schtasks.exe PID 1464 wrote to memory of 2044 1464 20200809.exe 20200809.exe PID 1464 wrote to memory of 2044 1464 20200809.exe 20200809.exe PID 1464 wrote to memory of 2044 1464 20200809.exe 20200809.exe PID 1464 wrote to memory of 2044 1464 20200809.exe 20200809.exe PID 1464 wrote to memory of 2044 1464 20200809.exe 20200809.exe PID 1464 wrote to memory of 2044 1464 20200809.exe 20200809.exe PID 1464 wrote to memory of 2044 1464 20200809.exe 20200809.exe PID 1464 wrote to memory of 2044 1464 20200809.exe 20200809.exe -
outlook_office_path 1 IoCs
Processes:
20200809.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20200809.exe -
outlook_win_path 1 IoCs
Processes:
20200809.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 20200809.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20200809.exe"C:\Users\Admin\AppData\Local\Temp\20200809.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owyhsoOGEbhOZd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF721.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\20200809.exe"C:\Users\Admin\AppData\Local\Temp\20200809.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\20200809.exe.logFilesize
496B
MD5a25e0ec08ea716dcc1f709ad1e752d71
SHA164685efa79682636b020453e2444b3d472ed3181
SHA25615254310d916b50af5775cf0df7e256a28242c41d6e429bc9e98709c162297f1
SHA5122fe3e3dc28b0de7a6de5569799bdcc0eafea32043c23e56dc4f65b94fc7202dc08d87ad66311335406495377a4180070d5b7cc1b5d26bb40500068459c6346ae
-
C:\Users\Admin\AppData\Local\Temp\tmpF721.tmpFilesize
1KB
MD5937714d3f80aa33435cdfff2cd500062
SHA167b33ca300b001f43fc7056763b98d209d7a5932
SHA256ec5fc61d763aa27951288e8f4dfa26187ca07468e3f1a44f38a0ffd1adc1e00b
SHA5126f239137d179f4befd6ba9488e1b5deb534f13e9a2b1c05d48eaffd1cb65dfd364a52c048a387d4256628cbf4a886cd890df3dab4888098d44aa3d8300c3560e
-
memory/220-131-0x0000000000000000-mapping.dmp
-
memory/1464-130-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB
-
memory/2044-133-0x0000000000000000-mapping.dmp
-
memory/2044-134-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2044-136-0x0000000074E80000-0x0000000075431000-memory.dmpFilesize
5.7MB