Analysis
-
max time kernel
117s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:04
Static task
static1
Behavioral task
behavioral1
Sample
INDUS INTL- RFQ(inquiry _list)pht.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
INDUS INTL- RFQ(inquiry _list)pht.exe
Resource
win10v2004-20220414-en
General
-
Target
INDUS INTL- RFQ(inquiry _list)pht.exe
-
Size
682KB
-
MD5
9ad03cd97e4d83bf3bd9f1a2407a4242
-
SHA1
8f1ced189e835e117388cac76fc68b4810b22a94
-
SHA256
b2ac207f4af2ee08fd955e71ccfb0c95b07098f0dc88eb2fbe48fb9e1f52c022
-
SHA512
197ef4db7b2b205fb54bfff024466fa0e90e25ba8db0d59e0532088bb11950a75331c1c8bae212528a819e6315055df16aa60a972abc9fd20833bafe530e67f8
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
sWalzdY4
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1872-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1872-62-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1872-64-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1872-65-0x0000000000447B5E-mapping.dmp family_agenttesla behavioral1/memory/1872-67-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1872-69-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/908-56-0x0000000000C20000-0x0000000000C74000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INDUS INTL- RFQ(inquiry _list)pht.exedescription pid process target process PID 908 set thread context of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
INDUS INTL- RFQ(inquiry _list)pht.exeINDUS INTL- RFQ(inquiry _list)pht.exepid process 908 INDUS INTL- RFQ(inquiry _list)pht.exe 908 INDUS INTL- RFQ(inquiry _list)pht.exe 908 INDUS INTL- RFQ(inquiry _list)pht.exe 1872 INDUS INTL- RFQ(inquiry _list)pht.exe 1872 INDUS INTL- RFQ(inquiry _list)pht.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INDUS INTL- RFQ(inquiry _list)pht.exeINDUS INTL- RFQ(inquiry _list)pht.exedescription pid process Token: SeDebugPrivilege 908 INDUS INTL- RFQ(inquiry _list)pht.exe Token: SeDebugPrivilege 1872 INDUS INTL- RFQ(inquiry _list)pht.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
INDUS INTL- RFQ(inquiry _list)pht.exedescription pid process target process PID 908 wrote to memory of 2036 908 INDUS INTL- RFQ(inquiry _list)pht.exe schtasks.exe PID 908 wrote to memory of 2036 908 INDUS INTL- RFQ(inquiry _list)pht.exe schtasks.exe PID 908 wrote to memory of 2036 908 INDUS INTL- RFQ(inquiry _list)pht.exe schtasks.exe PID 908 wrote to memory of 2036 908 INDUS INTL- RFQ(inquiry _list)pht.exe schtasks.exe PID 908 wrote to memory of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe PID 908 wrote to memory of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe PID 908 wrote to memory of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe PID 908 wrote to memory of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe PID 908 wrote to memory of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe PID 908 wrote to memory of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe PID 908 wrote to memory of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe PID 908 wrote to memory of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe PID 908 wrote to memory of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INDUS INTL- RFQ(inquiry _list)pht.exe"C:\Users\Admin\AppData\Local\Temp\INDUS INTL- RFQ(inquiry _list)pht.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QlCnxlaozyf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5B2.tmp"2⤵
- Creates scheduled task(s)
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\INDUS INTL- RFQ(inquiry _list)pht.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA5B2.tmpFilesize
1KB
MD5872d18905d2f6a6b9f52e122e82b5217
SHA19dbabf7de43acb4851c2016cd772f70376ea51ea
SHA2561e82320e094053dbd0b8acab831b9f1f600154b0f3749ee931150b33c2ae2336
SHA512c7f324963d6b80f61efd5c6ff0aa6ab9b050b4415a2e4aea7a2baafbc96206087bef5dcd19a2e27e1e7cd6fed0f589ffb1ffeac94cbbc8748807da774fbb5bfc
-
memory/908-55-0x00000000001F0000-0x0000000000204000-memory.dmpFilesize
80KB
-
memory/908-56-0x0000000000C20000-0x0000000000C74000-memory.dmpFilesize
336KB
-
memory/908-54-0x0000000001260000-0x0000000001310000-memory.dmpFilesize
704KB
-
memory/1872-64-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1872-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1872-60-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1872-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1872-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1872-65-0x0000000000447B5E-mapping.dmp
-
memory/1872-67-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1872-69-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1872-70-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/2036-57-0x0000000000000000-mapping.dmp