Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:21
Static task
static1
Behavioral task
behavioral1
Sample
DOCUMENTS.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOCUMENTS.exe
Resource
win10v2004-20220414-en
General
-
Target
DOCUMENTS.exe
-
Size
606KB
-
MD5
acf124579e7f180928628d6b02701dbf
-
SHA1
35e410ca0183d5a026ff6418e82bf722d76b58c2
-
SHA256
3f33e7bde9dcaafa436e0cb2e267371768115ea14de2a9860cefa74af71e9155
-
SHA512
6572acf3bd665f6eb55956d9226b0057f49c1b8244888c1d2cc0be850ed4a06436d77e482d781e963b6eaf97e5fe4000c6c80a90ad23b30656e2e34ee8df44f8
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.microtechlab.in - Port:
587 - Username:
reports@microtechlab.in - Password:
pune@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/956-64-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/956-65-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/956-66-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/956-67-0x000000000044CF5E-mapping.dmp family_agenttesla behavioral1/memory/956-69-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/956-71-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1648-58-0x0000000004D20000-0x0000000004D78000-memory.dmp rezer0 -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOCUMENTS.exedescription pid process target process PID 1648 set thread context of 956 1648 DOCUMENTS.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DOCUMENTS.exeRegSvcs.exepid process 1648 DOCUMENTS.exe 1648 DOCUMENTS.exe 1648 DOCUMENTS.exe 1648 DOCUMENTS.exe 1648 DOCUMENTS.exe 956 RegSvcs.exe 956 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DOCUMENTS.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1648 DOCUMENTS.exe Token: SeDebugPrivilege 956 RegSvcs.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
DOCUMENTS.exeRegSvcs.exedescription pid process target process PID 1648 wrote to memory of 2044 1648 DOCUMENTS.exe schtasks.exe PID 1648 wrote to memory of 2044 1648 DOCUMENTS.exe schtasks.exe PID 1648 wrote to memory of 2044 1648 DOCUMENTS.exe schtasks.exe PID 1648 wrote to memory of 2044 1648 DOCUMENTS.exe schtasks.exe PID 1648 wrote to memory of 1148 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 1148 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 1148 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 1148 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 1148 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 1148 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 1148 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 564 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 564 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 564 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 564 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 564 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 564 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 564 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 1648 wrote to memory of 956 1648 DOCUMENTS.exe RegSvcs.exe PID 956 wrote to memory of 1492 956 RegSvcs.exe REG.exe PID 956 wrote to memory of 1492 956 RegSvcs.exe REG.exe PID 956 wrote to memory of 1492 956 RegSvcs.exe REG.exe PID 956 wrote to memory of 1492 956 RegSvcs.exe REG.exe PID 956 wrote to memory of 788 956 RegSvcs.exe netsh.exe PID 956 wrote to memory of 788 956 RegSvcs.exe netsh.exe PID 956 wrote to memory of 788 956 RegSvcs.exe netsh.exe PID 956 wrote to memory of 788 956 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRoztVRNUab" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB9E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFB9E.tmpFilesize
1KB
MD526cc4c3b3675f52de2e26682cfd65358
SHA10150d850b922703441e939468d4abacd480c17fa
SHA256496a51fb80604354dea5ab190bce71c8c59ba7e61da2076363e9648c17cc2791
SHA512cf6ee7d043138edf27701377c539877850deae846298ec6a07e51a128bb7739beec8d82b7ce568d09b4802b1868b411bd001c824ed09527939ec76b4cef0a2b3
-
memory/788-74-0x0000000000000000-mapping.dmp
-
memory/956-67-0x000000000044CF5E-mapping.dmp
-
memory/956-66-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/956-71-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/956-69-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/956-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/956-62-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/956-64-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/956-65-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1492-73-0x0000000000000000-mapping.dmp
-
memory/1648-56-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/1648-54-0x0000000000CC0000-0x0000000000D5E000-memory.dmpFilesize
632KB
-
memory/1648-57-0x0000000000410000-0x0000000000418000-memory.dmpFilesize
32KB
-
memory/1648-58-0x0000000004D20000-0x0000000004D78000-memory.dmpFilesize
352KB
-
memory/1648-55-0x0000000004160000-0x00000000041C2000-memory.dmpFilesize
392KB
-
memory/2044-59-0x0000000000000000-mapping.dmp