Analysis
-
max time kernel
20s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13/03/2023, 13:23
Static task
static1
Behavioral task
behavioral1
Sample
6hDkZtFd2S.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
6hDkZtFd2S.exe
Resource
win10v2004-20230220-en
General
-
Target
6hDkZtFd2S.exe
-
Size
1.1MB
-
MD5
21377e758f4ee739965642b393f13fe8
-
SHA1
edbfaed7cac6642cce909d18f8ee07aec722d874
-
SHA256
1068cb29f89d81ad0348c72c63a90588f35b9a520e57764daeed44dc22192c1a
-
SHA512
39f55734563fdbae2600f53bf07a68c450e76668517b25332d4f7672fc7e0409514cba19fe9fa2f01a140fb8973a95467b64e5e4b3d05400efdc8bf64a363d67
-
SSDEEP
12288:3bq7bcal64fG2Ms7cfl9/C8JAP2f3wBt6UQEM7ef7OB8GFX0w2WbmjoaTRgkSlTF:+fKWM82faZ4gJSGCiNOyjgT7PVf
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.kumbarasigorta.com - Port:
587 - Username:
[email protected] - Password:
123@Kumbarasigorta - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1952 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 472 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" 6hDkZtFd2S.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1952 set thread context of 644 1952 svchost.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1584 644 WerFault.exe 36 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1452 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 268 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2012 6hDkZtFd2S.exe 1952 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1952 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2012 6hDkZtFd2S.exe Token: SeDebugPrivilege 1952 svchost.exe Token: SeDebugPrivilege 1952 svchost.exe Token: SeLoadDriverPrivilege 1952 svchost.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1076 2012 6hDkZtFd2S.exe 28 PID 2012 wrote to memory of 1076 2012 6hDkZtFd2S.exe 28 PID 2012 wrote to memory of 1076 2012 6hDkZtFd2S.exe 28 PID 2012 wrote to memory of 472 2012 6hDkZtFd2S.exe 29 PID 2012 wrote to memory of 472 2012 6hDkZtFd2S.exe 29 PID 2012 wrote to memory of 472 2012 6hDkZtFd2S.exe 29 PID 472 wrote to memory of 268 472 cmd.exe 32 PID 472 wrote to memory of 268 472 cmd.exe 32 PID 472 wrote to memory of 268 472 cmd.exe 32 PID 1076 wrote to memory of 1452 1076 cmd.exe 33 PID 1076 wrote to memory of 1452 1076 cmd.exe 33 PID 1076 wrote to memory of 1452 1076 cmd.exe 33 PID 472 wrote to memory of 1952 472 cmd.exe 34 PID 472 wrote to memory of 1952 472 cmd.exe 34 PID 472 wrote to memory of 1952 472 cmd.exe 34 PID 1952 wrote to memory of 1436 1952 svchost.exe 35 PID 1952 wrote to memory of 1436 1952 svchost.exe 35 PID 1952 wrote to memory of 1436 1952 svchost.exe 35 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 1952 wrote to memory of 644 1952 svchost.exe 36 PID 644 wrote to memory of 1584 644 SetupUtility.exe 37 PID 644 wrote to memory of 1584 644 SetupUtility.exe 37 PID 644 wrote to memory of 1584 644 SetupUtility.exe 37 PID 644 wrote to memory of 1584 644 SetupUtility.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6hDkZtFd2S.exe"C:\Users\Admin\AppData\Local\Temp\6hDkZtFd2S.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:1452
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5081.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:268
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵PID:1436
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1685⤵
- Program crash
PID:1584
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5501f14866b11190425b6dcc25e62153a
SHA11d6544aeb504456fad86bbb955bb5f79261885c4
SHA2560f8a71584bd523131cbea06c85b8284c6c5bd936c852d2d22b9940152cdcd1d1
SHA5123530a2cec192115c4f5cc26308d086604c14da19515680c56e11b7201aeacf49d25582f81f73a9d65163f93c3ec825d85d4d3408dba8821b6ba5f3c7548aa917
-
Filesize
151B
MD5501f14866b11190425b6dcc25e62153a
SHA11d6544aeb504456fad86bbb955bb5f79261885c4
SHA2560f8a71584bd523131cbea06c85b8284c6c5bd936c852d2d22b9940152cdcd1d1
SHA5123530a2cec192115c4f5cc26308d086604c14da19515680c56e11b7201aeacf49d25582f81f73a9d65163f93c3ec825d85d4d3408dba8821b6ba5f3c7548aa917
-
Filesize
1.1MB
MD521377e758f4ee739965642b393f13fe8
SHA1edbfaed7cac6642cce909d18f8ee07aec722d874
SHA2561068cb29f89d81ad0348c72c63a90588f35b9a520e57764daeed44dc22192c1a
SHA51239f55734563fdbae2600f53bf07a68c450e76668517b25332d4f7672fc7e0409514cba19fe9fa2f01a140fb8973a95467b64e5e4b3d05400efdc8bf64a363d67
-
Filesize
1.1MB
MD521377e758f4ee739965642b393f13fe8
SHA1edbfaed7cac6642cce909d18f8ee07aec722d874
SHA2561068cb29f89d81ad0348c72c63a90588f35b9a520e57764daeed44dc22192c1a
SHA51239f55734563fdbae2600f53bf07a68c450e76668517b25332d4f7672fc7e0409514cba19fe9fa2f01a140fb8973a95467b64e5e4b3d05400efdc8bf64a363d67
-
Filesize
1.1MB
MD521377e758f4ee739965642b393f13fe8
SHA1edbfaed7cac6642cce909d18f8ee07aec722d874
SHA2561068cb29f89d81ad0348c72c63a90588f35b9a520e57764daeed44dc22192c1a
SHA51239f55734563fdbae2600f53bf07a68c450e76668517b25332d4f7672fc7e0409514cba19fe9fa2f01a140fb8973a95467b64e5e4b3d05400efdc8bf64a363d67