Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:51
Behavioral task
behavioral1
Sample
duk (3).exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
duk (3).exe
-
Size
511KB
-
MD5
04b191c4242a98c5b14ed1de9c61ef8c
-
SHA1
4c4fafb67933eb18100acdc76128f42dc9a9525f
-
SHA256
bbfd3959ef22e9fa18ed11cbc9b8f31ac36e86f0d055d2c57b81ee19f9c54175
-
SHA512
c613ece1002132dfacf60eb41a0d1910e3e3c314db9b53f13b9e9eb34c4db9553538f3fc12f22c3ddf5ca705a53f64517783b292c240c20ec0d002a8e202144b
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.hotel71.com.bd - Port:
587 - Username:
chat@hotel71.com.bd - Password:
9+^va&phP1v9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4476-136-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Contains SnakeBOT related strings 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1160-130-0x0000000000D90000-0x0000000000E1A000-memory.dmp snakebot_strings -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
duk (3).exedescription pid process target process PID 1160 set thread context of 4476 1160 duk (3).exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2896 4476 WerFault.exe RegSvcs.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 4476 RegSvcs.exe 4476 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
duk (3).exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1160 duk (3).exe Token: SeDebugPrivilege 4476 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
duk (3).exepid process 1160 duk (3).exe 1160 duk (3).exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
duk (3).exeRegSvcs.exedescription pid process target process PID 1160 wrote to memory of 4476 1160 duk (3).exe RegSvcs.exe PID 1160 wrote to memory of 4476 1160 duk (3).exe RegSvcs.exe PID 1160 wrote to memory of 4476 1160 duk (3).exe RegSvcs.exe PID 1160 wrote to memory of 4476 1160 duk (3).exe RegSvcs.exe PID 1160 wrote to memory of 4476 1160 duk (3).exe RegSvcs.exe PID 1160 wrote to memory of 4476 1160 duk (3).exe RegSvcs.exe PID 1160 wrote to memory of 4476 1160 duk (3).exe RegSvcs.exe PID 1160 wrote to memory of 4476 1160 duk (3).exe RegSvcs.exe PID 4476 wrote to memory of 2484 4476 RegSvcs.exe REG.exe PID 4476 wrote to memory of 2484 4476 RegSvcs.exe REG.exe PID 4476 wrote to memory of 2484 4476 RegSvcs.exe REG.exe PID 4476 wrote to memory of 5068 4476 RegSvcs.exe netsh.exe PID 4476 wrote to memory of 5068 4476 RegSvcs.exe netsh.exe PID 4476 wrote to memory of 5068 4476 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\duk (3).exe"C:\Users\Admin\AppData\Local\Temp\duk (3).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 15763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4476 -ip 44761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1160-130-0x0000000000D90000-0x0000000000E1A000-memory.dmpFilesize
552KB
-
memory/1160-131-0x0000000008220000-0x00000000087C4000-memory.dmpFilesize
5.6MB
-
memory/1160-132-0x0000000007D10000-0x0000000007DA2000-memory.dmpFilesize
584KB
-
memory/1160-133-0x0000000007CA0000-0x0000000007CAA000-memory.dmpFilesize
40KB
-
memory/1160-134-0x000000000B2C0000-0x000000000B35C000-memory.dmpFilesize
624KB
-
memory/2484-138-0x0000000000000000-mapping.dmp
-
memory/4476-135-0x0000000000000000-mapping.dmp
-
memory/4476-136-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4476-137-0x00000000050F0000-0x0000000005156000-memory.dmpFilesize
408KB
-
memory/4476-139-0x0000000006060000-0x00000000060B0000-memory.dmpFilesize
320KB
-
memory/5068-140-0x0000000000000000-mapping.dmp