Analysis
-
max time kernel
87s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 21:24
Static task
static1
Behavioral task
behavioral1
Sample
स्थानांतरण प्रति 06-19-2020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
स्थानांतरण प्रति 06-19-2020.exe
Resource
win10v2004-20220414-en
General
-
Target
स्थानांतरण प्रति 06-19-2020.exe
-
Size
494KB
-
MD5
d6f540ae573384978c6cfaaacfe100e9
-
SHA1
0c260021351ec47e2f7e0fd6e698fc592778f36b
-
SHA256
7776acf04971eb31d1ceca8e09d1b7579a39a7dbcef5759f051e9f3b49daaa72
-
SHA512
75ee1fe50354dfa639a9fd98c646557ddf1415ed2882139f7c0ee7a6f2297da7d1f87124c0ad42b719e989c16093a6638b6b2f933f262e7d118bd8d302cc2218
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tde.ro - Port:
21 - Username:
pascal@tde.ro - Password:
playboy123
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.tde.ro/ - Port:
21 - Username:
pascal@tde.ro - Password:
playboy123
Protocol: ftp- Host:
ftp://ftp.tde.ro/ - Port:
21 - Username:
pascal@tde.ro - Password:
playboy123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3540-137-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
स्थानांतरण प्रति 06-19-2020.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation स्थानांतरण प्रति 06-19-2020.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
स्थानांतरण प्रति 06-19-2020.exedescription pid process target process PID 1564 set thread context of 3540 1564 स्थानांतरण प्रति 06-19-2020.exe स्थानांतरण प्रति 06-19-2020.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
स्थानांतरण प्रति 06-19-2020.exepid process 3540 स्थानांतरण प्रति 06-19-2020.exe 3540 स्थानांतरण प्रति 06-19-2020.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
स्थानांतरण प्रति 06-19-2020.exedescription pid process Token: SeDebugPrivilege 3540 स्थानांतरण प्रति 06-19-2020.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
स्थानांतरण प्रति 06-19-2020.exeस्थानांतरण प्रति 06-19-2020.exedescription pid process target process PID 1564 wrote to memory of 2040 1564 स्थानांतरण प्रति 06-19-2020.exe schtasks.exe PID 1564 wrote to memory of 2040 1564 स्थानांतरण प्रति 06-19-2020.exe schtasks.exe PID 1564 wrote to memory of 2040 1564 स्थानांतरण प्रति 06-19-2020.exe schtasks.exe PID 1564 wrote to memory of 3540 1564 स्थानांतरण प्रति 06-19-2020.exe स्थानांतरण प्रति 06-19-2020.exe PID 1564 wrote to memory of 3540 1564 स्थानांतरण प्रति 06-19-2020.exe स्थानांतरण प्रति 06-19-2020.exe PID 1564 wrote to memory of 3540 1564 स्थानांतरण प्रति 06-19-2020.exe स्थानांतरण प्रति 06-19-2020.exe PID 1564 wrote to memory of 3540 1564 स्थानांतरण प्रति 06-19-2020.exe स्थानांतरण प्रति 06-19-2020.exe PID 1564 wrote to memory of 3540 1564 स्थानांतरण प्रति 06-19-2020.exe स्थानांतरण प्रति 06-19-2020.exe PID 1564 wrote to memory of 3540 1564 स्थानांतरण प्रति 06-19-2020.exe स्थानांतरण प्रति 06-19-2020.exe PID 1564 wrote to memory of 3540 1564 स्थानांतरण प्रति 06-19-2020.exe स्थानांतरण प्रति 06-19-2020.exe PID 1564 wrote to memory of 3540 1564 स्थानांतरण प्रति 06-19-2020.exe स्थानांतरण प्रति 06-19-2020.exe PID 3540 wrote to memory of 368 3540 स्थानांतरण प्रति 06-19-2020.exe netsh.exe PID 3540 wrote to memory of 368 3540 स्थानांतरण प्रति 06-19-2020.exe netsh.exe PID 3540 wrote to memory of 368 3540 स्थानांतरण प्रति 06-19-2020.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\स्थानांतरण प्रति 06-19-2020.exe"C:\Users\Admin\AppData\Local\Temp\स्थानांतरण प्रति 06-19-2020.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OsJSFKjD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp127E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\स्थानांतरण प्रति 06-19-2020.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp127E.tmpFilesize
1KB
MD506d289405865e3bd667e7491bab75016
SHA1fe2df3658d7339f37d4559a28f0244ff2c274b57
SHA256c1ca669279b86c080cb65c6d454d6740413b6fe99fa6b06f0dcff94c5dc41176
SHA512ceffc41788e0c82d0ad93f960dd0a38eca1a72fb62ef10c296d093be8157e584b67df108be176948c8e91483c31b28454a18e8d194820348c2c61849c7da70d2
-
memory/368-140-0x0000000000000000-mapping.dmp
-
memory/1564-130-0x00000000007E0000-0x0000000000862000-memory.dmpFilesize
520KB
-
memory/1564-131-0x00000000051A0000-0x0000000005232000-memory.dmpFilesize
584KB
-
memory/1564-132-0x00000000052F0000-0x000000000538C000-memory.dmpFilesize
624KB
-
memory/1564-133-0x0000000006130000-0x00000000066D4000-memory.dmpFilesize
5.6MB
-
memory/2040-134-0x0000000000000000-mapping.dmp
-
memory/3540-137-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3540-136-0x0000000000000000-mapping.dmp
-
memory/3540-138-0x0000000005990000-0x00000000059F6000-memory.dmpFilesize
408KB
-
memory/3540-139-0x00000000065C0000-0x0000000006610000-memory.dmpFilesize
320KB
-
memory/3540-141-0x0000000006C90000-0x0000000006C9A000-memory.dmpFilesize
40KB