Analysis
-
max time kernel
111s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:58
Static task
static1
Behavioral task
behavioral1
Sample
COSU 6270575380 PCL2004868048.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
COSU 6270575380 PCL2004868048.exe
Resource
win10v2004-20220414-en
General
-
Target
COSU 6270575380 PCL2004868048.exe
-
Size
606KB
-
MD5
d1d433ad7fe5db077cb81ef0e4ec4e60
-
SHA1
d94a577faa1557bef7fd9d2eecf7386ec3ea7e88
-
SHA256
b4b4e82b4584a55722d213ea607a3b1131caaa039589a27e12ba4feeeaee7fb5
-
SHA512
b1dbb723d3a342ef6666a9d11cca5182bc2228c146f2d6912eac3ea337bc1bb9b9ab55a11c1a95bf9a5bc834c41870d8b3fb2d5baafc99106289eb3c2a2b0c4c
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Everest10
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Everest10
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3116-142-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
COSU 6270575380 PCL2004868048.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation COSU 6270575380 PCL2004868048.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
COSU 6270575380 PCL2004868048.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 COSU 6270575380 PCL2004868048.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 COSU 6270575380 PCL2004868048.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 COSU 6270575380 PCL2004868048.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
COSU 6270575380 PCL2004868048.exedescription pid process target process PID 436 set thread context of 3116 436 COSU 6270575380 PCL2004868048.exe COSU 6270575380 PCL2004868048.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
COSU 6270575380 PCL2004868048.exeCOSU 6270575380 PCL2004868048.exepid process 436 COSU 6270575380 PCL2004868048.exe 3116 COSU 6270575380 PCL2004868048.exe 3116 COSU 6270575380 PCL2004868048.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
COSU 6270575380 PCL2004868048.exeCOSU 6270575380 PCL2004868048.exedescription pid process Token: SeDebugPrivilege 436 COSU 6270575380 PCL2004868048.exe Token: SeDebugPrivilege 3116 COSU 6270575380 PCL2004868048.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
COSU 6270575380 PCL2004868048.exepid process 3116 COSU 6270575380 PCL2004868048.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
COSU 6270575380 PCL2004868048.exedescription pid process target process PID 436 wrote to memory of 2620 436 COSU 6270575380 PCL2004868048.exe schtasks.exe PID 436 wrote to memory of 2620 436 COSU 6270575380 PCL2004868048.exe schtasks.exe PID 436 wrote to memory of 2620 436 COSU 6270575380 PCL2004868048.exe schtasks.exe PID 436 wrote to memory of 3116 436 COSU 6270575380 PCL2004868048.exe COSU 6270575380 PCL2004868048.exe PID 436 wrote to memory of 3116 436 COSU 6270575380 PCL2004868048.exe COSU 6270575380 PCL2004868048.exe PID 436 wrote to memory of 3116 436 COSU 6270575380 PCL2004868048.exe COSU 6270575380 PCL2004868048.exe PID 436 wrote to memory of 3116 436 COSU 6270575380 PCL2004868048.exe COSU 6270575380 PCL2004868048.exe PID 436 wrote to memory of 3116 436 COSU 6270575380 PCL2004868048.exe COSU 6270575380 PCL2004868048.exe PID 436 wrote to memory of 3116 436 COSU 6270575380 PCL2004868048.exe COSU 6270575380 PCL2004868048.exe PID 436 wrote to memory of 3116 436 COSU 6270575380 PCL2004868048.exe COSU 6270575380 PCL2004868048.exe PID 436 wrote to memory of 3116 436 COSU 6270575380 PCL2004868048.exe COSU 6270575380 PCL2004868048.exe -
outlook_office_path 1 IoCs
Processes:
COSU 6270575380 PCL2004868048.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 COSU 6270575380 PCL2004868048.exe -
outlook_win_path 1 IoCs
Processes:
COSU 6270575380 PCL2004868048.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 COSU 6270575380 PCL2004868048.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe"C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UGVpSjQyl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp833A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe"C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COSU 6270575380 PCL2004868048.exe.logFilesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
C:\Users\Admin\AppData\Local\Temp\tmp833A.tmpFilesize
1KB
MD52a2a186c916e86e454dece9f79cb2b2b
SHA1cc69cf3b2ca84a15e8981072121e1d40978c7e6d
SHA2565df2c77fceaaf53279a1d83df3451eeb66128786cc4d08f380c8b985da259152
SHA512cd2cb1d5b3a5fb7deb2ef04d5e26b3726f4ba1d4329a79bead475b633273b948656186a1856f6fb8301fbe54c5d5240494f7efc612b79561487f095cde2bdad6
-
memory/436-134-0x00000000051C0000-0x000000000525C000-memory.dmpFilesize
624KB
-
memory/436-135-0x0000000005810000-0x0000000005DB4000-memory.dmpFilesize
5.6MB
-
memory/436-136-0x0000000005300000-0x0000000005392000-memory.dmpFilesize
584KB
-
memory/436-137-0x00000000052A0000-0x00000000052AA000-memory.dmpFilesize
40KB
-
memory/436-138-0x0000000005550000-0x00000000055A6000-memory.dmpFilesize
344KB
-
memory/436-133-0x00000000008C0000-0x000000000095E000-memory.dmpFilesize
632KB
-
memory/2620-139-0x0000000000000000-mapping.dmp
-
memory/3116-142-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3116-141-0x0000000000000000-mapping.dmp
-
memory/3116-144-0x0000000006790000-0x00000000067F6000-memory.dmpFilesize
408KB
-
memory/3116-145-0x0000000006E30000-0x0000000006E80000-memory.dmpFilesize
320KB