Analysis
-
max time kernel
124s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:11
Static task
static1
Behavioral task
behavioral1
Sample
NEW PO #82001G Codice cliente 01734981 #ID8399905.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEW PO #82001G Codice cliente 01734981 #ID8399905.exe
Resource
win10v2004-20220414-en
General
-
Target
NEW PO #82001G Codice cliente 01734981 #ID8399905.exe
-
Size
742KB
-
MD5
8f46d47630806c7944cc8a2373ccd9de
-
SHA1
6385b26eff6fd475a95cd119b415f416ade8dedf
-
SHA256
dcab070fdf70c605bc000cc75848e8a70892b921a72079dfa7f1783ccf179f5c
-
SHA512
eb1366f75e4baa5765fae28f6313c883eaa495e2d62bb1bed16a559489642b72e9d826a0eca069154a5b91cbb23a423677b395d7ff02ad884b6dab3c5e4c71f6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
denis@cerasantrading.store - Password:
bP7WXQMxhY
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1820-64-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral1/memory/1820-65-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral1/memory/1820-66-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral1/memory/1820-67-0x00000000004455BE-mapping.dmp family_agenttesla behavioral1/memory/1820-69-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla behavioral1/memory/1820-71-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEW PO #82001G Codice cliente 01734981 #ID8399905.exedescription pid process target process PID 2016 set thread context of 1820 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe NEW PO #82001G Codice cliente 01734981 #ID8399905.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
NEW PO #82001G Codice cliente 01734981 #ID8399905.exeNEW PO #82001G Codice cliente 01734981 #ID8399905.exepid process 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe 1820 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe 1820 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEW PO #82001G Codice cliente 01734981 #ID8399905.exeNEW PO #82001G Codice cliente 01734981 #ID8399905.exedescription pid process Token: SeDebugPrivilege 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe Token: SeDebugPrivilege 1820 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
NEW PO #82001G Codice cliente 01734981 #ID8399905.exedescription pid process target process PID 2016 wrote to memory of 1256 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe schtasks.exe PID 2016 wrote to memory of 1256 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe schtasks.exe PID 2016 wrote to memory of 1256 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe schtasks.exe PID 2016 wrote to memory of 1256 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe schtasks.exe PID 2016 wrote to memory of 1820 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe NEW PO #82001G Codice cliente 01734981 #ID8399905.exe PID 2016 wrote to memory of 1820 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe NEW PO #82001G Codice cliente 01734981 #ID8399905.exe PID 2016 wrote to memory of 1820 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe NEW PO #82001G Codice cliente 01734981 #ID8399905.exe PID 2016 wrote to memory of 1820 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe NEW PO #82001G Codice cliente 01734981 #ID8399905.exe PID 2016 wrote to memory of 1820 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe NEW PO #82001G Codice cliente 01734981 #ID8399905.exe PID 2016 wrote to memory of 1820 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe NEW PO #82001G Codice cliente 01734981 #ID8399905.exe PID 2016 wrote to memory of 1820 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe NEW PO #82001G Codice cliente 01734981 #ID8399905.exe PID 2016 wrote to memory of 1820 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe NEW PO #82001G Codice cliente 01734981 #ID8399905.exe PID 2016 wrote to memory of 1820 2016 NEW PO #82001G Codice cliente 01734981 #ID8399905.exe NEW PO #82001G Codice cliente 01734981 #ID8399905.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW PO #82001G Codice cliente 01734981 #ID8399905.exe"C:\Users\Admin\AppData\Local\Temp\NEW PO #82001G Codice cliente 01734981 #ID8399905.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA43C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\NEW PO #82001G Codice cliente 01734981 #ID8399905.exe"C:\Users\Admin\AppData\Local\Temp\NEW PO #82001G Codice cliente 01734981 #ID8399905.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA43C.tmpFilesize
1KB
MD53759e56b26e6b89713a08705b0d335d1
SHA113ceb68a0f93ee56212d005fe902e91659773a30
SHA2561f4aaca66dc76887838a6da74d7b76444ff33e04a2e6b58e0e8f0a4418fbeba6
SHA512bc1f36ad438137857a9b2ba9c825626da89fa54b440f81e234abae187d0ba71af22114e81b53381c789328331362c3ccda4e0332518fca3b4889f2e361d7070f
-
memory/1256-59-0x0000000000000000-mapping.dmp
-
memory/1820-64-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1820-61-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1820-62-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1820-65-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1820-66-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1820-67-0x00000000004455BE-mapping.dmp
-
memory/1820-69-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1820-71-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2016-57-0x0000000004730000-0x0000000004794000-memory.dmpFilesize
400KB
-
memory/2016-58-0x00000000070C0000-0x000000000710C000-memory.dmpFilesize
304KB
-
memory/2016-56-0x00000000003C0000-0x00000000003CA000-memory.dmpFilesize
40KB
-
memory/2016-55-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/2016-54-0x0000000001270000-0x0000000001330000-memory.dmpFilesize
768KB