Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2023 17:13
Static task
static1
Behavioral task
behavioral1
Sample
united scientific equipent.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
united scientific equipent.exe
Resource
win10v2004-20221111-en
General
-
Target
united scientific equipent.exe
-
Size
710KB
-
MD5
71536be72d8cc9dc156f1ff70b7f69a5
-
SHA1
ff0bb0d7e4dfa01c187c80d2e42d85feb22d98b9
-
SHA256
9909753bfb0ac8ab165bab3555233d03b01a9274a92e57c022f87ccbe51ca415
-
SHA512
9a98d57116a638e4ec0df224c243a074de233bf1859ea6a5efbf0d4d36ef470a9421d535e2d35371c1191d72f09aa0352ba9d147dae62ef6e4fc5c0650df07c9
-
SSDEEP
12288:v1XZi970Oz6hGy69oswvYeMW5+uCwpla6Mqbjvkgb3I9S0dbp5Ne:dXZ7DnY/WcuCd1qbjvkWI9S0Fp5Ne
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cybernetics.co.za - Port:
587 - Username:
[email protected] - Password:
P@ssw0rd
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2272-141-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
united scientific equipent.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation united scientific equipent.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
united scientific equipent.exedescription pid process target process PID 4896 set thread context of 2272 4896 united scientific equipent.exe united scientific equipent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
united scientific equipent.exepid process 2272 united scientific equipent.exe 2272 united scientific equipent.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
united scientific equipent.exedescription pid process Token: SeDebugPrivilege 2272 united scientific equipent.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
united scientific equipent.exedescription pid process target process PID 4896 wrote to memory of 1632 4896 united scientific equipent.exe schtasks.exe PID 4896 wrote to memory of 1632 4896 united scientific equipent.exe schtasks.exe PID 4896 wrote to memory of 1632 4896 united scientific equipent.exe schtasks.exe PID 4896 wrote to memory of 2272 4896 united scientific equipent.exe united scientific equipent.exe PID 4896 wrote to memory of 2272 4896 united scientific equipent.exe united scientific equipent.exe PID 4896 wrote to memory of 2272 4896 united scientific equipent.exe united scientific equipent.exe PID 4896 wrote to memory of 2272 4896 united scientific equipent.exe united scientific equipent.exe PID 4896 wrote to memory of 2272 4896 united scientific equipent.exe united scientific equipent.exe PID 4896 wrote to memory of 2272 4896 united scientific equipent.exe united scientific equipent.exe PID 4896 wrote to memory of 2272 4896 united scientific equipent.exe united scientific equipent.exe PID 4896 wrote to memory of 2272 4896 united scientific equipent.exe united scientific equipent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyganvy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC92C.tmp"2⤵
- Creates scheduled task(s)
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
1KB
MD50897b8b7a2141f802db8d7d9c858a08c
SHA1fde240d4df87a39d81afeafd9137fa18ba42b251
SHA2561aa2aa33f30cb074adf0dce91e7e1b39202398913d5edb1e79c9d52ab08ce94e
SHA5124529ca94bf2e3fd016799f8def7c05ec901c462d0ee83d85c5fb1e4af7957726686d9683aab7421d940174fd78655bfb4caa22044e1dda2c15ea58e2d7133945