Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:21
Static task
static1
Behavioral task
behavioral1
Sample
DOCUMENTS.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOCUMENTS.exe
Resource
win10v2004-20220414-en
General
-
Target
DOCUMENTS.exe
-
Size
606KB
-
MD5
acf124579e7f180928628d6b02701dbf
-
SHA1
35e410ca0183d5a026ff6418e82bf722d76b58c2
-
SHA256
3f33e7bde9dcaafa436e0cb2e267371768115ea14de2a9860cefa74af71e9155
-
SHA512
6572acf3bd665f6eb55956d9226b0057f49c1b8244888c1d2cc0be850ed4a06436d77e482d781e963b6eaf97e5fe4000c6c80a90ad23b30656e2e34ee8df44f8
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.microtechlab.in - Port:
587 - Username:
reports@microtechlab.in - Password:
pune@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-139-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DOCUMENTS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation DOCUMENTS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOCUMENTS.exedescription pid process target process PID 1684 set thread context of 4264 1684 DOCUMENTS.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
DOCUMENTS.exeRegSvcs.exepid process 1684 DOCUMENTS.exe 1684 DOCUMENTS.exe 1684 DOCUMENTS.exe 1684 DOCUMENTS.exe 1684 DOCUMENTS.exe 1684 DOCUMENTS.exe 4264 RegSvcs.exe 4264 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DOCUMENTS.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1684 DOCUMENTS.exe Token: SeDebugPrivilege 4264 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
DOCUMENTS.exeRegSvcs.exedescription pid process target process PID 1684 wrote to memory of 4764 1684 DOCUMENTS.exe schtasks.exe PID 1684 wrote to memory of 4764 1684 DOCUMENTS.exe schtasks.exe PID 1684 wrote to memory of 4764 1684 DOCUMENTS.exe schtasks.exe PID 1684 wrote to memory of 4304 1684 DOCUMENTS.exe RegSvcs.exe PID 1684 wrote to memory of 4304 1684 DOCUMENTS.exe RegSvcs.exe PID 1684 wrote to memory of 4304 1684 DOCUMENTS.exe RegSvcs.exe PID 1684 wrote to memory of 4264 1684 DOCUMENTS.exe RegSvcs.exe PID 1684 wrote to memory of 4264 1684 DOCUMENTS.exe RegSvcs.exe PID 1684 wrote to memory of 4264 1684 DOCUMENTS.exe RegSvcs.exe PID 1684 wrote to memory of 4264 1684 DOCUMENTS.exe RegSvcs.exe PID 1684 wrote to memory of 4264 1684 DOCUMENTS.exe RegSvcs.exe PID 1684 wrote to memory of 4264 1684 DOCUMENTS.exe RegSvcs.exe PID 1684 wrote to memory of 4264 1684 DOCUMENTS.exe RegSvcs.exe PID 1684 wrote to memory of 4264 1684 DOCUMENTS.exe RegSvcs.exe PID 4264 wrote to memory of 840 4264 RegSvcs.exe REG.exe PID 4264 wrote to memory of 840 4264 RegSvcs.exe REG.exe PID 4264 wrote to memory of 840 4264 RegSvcs.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\DOCUMENTS.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRoztVRNUab" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1279.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1279.tmpFilesize
1KB
MD52263bcf4fbb615b47ed9f0548bd4ef7f
SHA17321cce0f453bcd08babaa4f6a90be4489eb5134
SHA256168deed9f5504c53f9a7eade34a70275910cd72a9a52756212f92dce416b45d3
SHA51271cd6fc68e4056ea1612cc2f54ea3c92a266a5365c7801535607a6e1dbe73c9cfedc6b0af50b2d119d4f0311debe9662720ea4315579e3190a9af2e71cfee5f8
-
memory/840-141-0x0000000000000000-mapping.dmp
-
memory/1684-130-0x00000000007D0000-0x000000000086E000-memory.dmpFilesize
632KB
-
memory/1684-131-0x0000000005860000-0x0000000005E04000-memory.dmpFilesize
5.6MB
-
memory/1684-132-0x0000000005450000-0x00000000054E2000-memory.dmpFilesize
584KB
-
memory/1684-133-0x00000000056F0000-0x00000000056FA000-memory.dmpFilesize
40KB
-
memory/1684-134-0x00000000090F0000-0x000000000918C000-memory.dmpFilesize
624KB
-
memory/4264-138-0x0000000000000000-mapping.dmp
-
memory/4264-139-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4264-140-0x0000000005A80000-0x0000000005AE6000-memory.dmpFilesize
408KB
-
memory/4304-137-0x0000000000000000-mapping.dmp
-
memory/4764-135-0x0000000000000000-mapping.dmp