Overview

overview

10

Static

static

PO_SHZ41.EXE

windows7_x64

10

PO_SHZ41.EXE

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    19-10-2021 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_SHZ41.EXE

  • Size

    72KB

  • MD5

    410cce7e5da174865ae1c5d65458d92c

  • SHA1

    0ea38171202123c4f0115cb5cefc578bc0b664a3

  • SHA256

    8dc1640499a6b1cac921adb0e5899e2fe02f4902b2f6acfa5d4f7c2f277e54cc

  • SHA512

    f7eca94b7ec65a7e932d0faeb37703c716b5856f71a696378c01e44ea3c4749b10892e877f4efc75797319648fbe77ad143cf53ba01f4324eb76e4be32128a20

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    xxxlahot2

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 1 IoCs
  • Nirsoft 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 9 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO_SHZ41.EXE
    "C:\Users\Admin\AppData\Local\Temp\PO_SHZ41.EXE"
    1⤵
    • Loads dropped DLL
    • Windows security modification
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\⾈⾊⽘⽴⾊⽚⽞⽖⾋⽛⽟⽙⽾⽛⾊\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:572
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO_SHZ41.EXE" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1376
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\⾈⾊⽘⽴⾊⽚⽞⽖⾋⽛⽟⽙⽾⽛⾊\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:544
    • C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe" /SpecialRun 4101d8 792
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1076
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO_SHZ41.EXE" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

3
T1089

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    1090217f0c02701cd9fe450aa3a1cd0d

    SHA1

    f20e0fe4b872a71d6babd19b61a0a243ca9f33ea

    SHA256

    2c20e4f1148b06d293cd57dc7c942c1c97de27fbe587f864e0cdb2ea751083d9

    SHA512

    149a1d9f89e64a075f9067c852cd6905bb84695a9c46537639752dbd438802bb67b610ae992a2daab939c4844652440d2a71d44102950ac1a52738f72b013cde

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    1090217f0c02701cd9fe450aa3a1cd0d

    SHA1

    f20e0fe4b872a71d6babd19b61a0a243ca9f33ea

    SHA256

    2c20e4f1148b06d293cd57dc7c942c1c97de27fbe587f864e0cdb2ea751083d9

    SHA512

    149a1d9f89e64a075f9067c852cd6905bb84695a9c46537639752dbd438802bb67b610ae992a2daab939c4844652440d2a71d44102950ac1a52738f72b013cde

    Download Submit
  • \Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\02660b18-5a1a-48b7-98d1-6c75553ccbb0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • memory/544-80-0x0000000002442000-0x0000000002444000-memory.dmp
    Filesize

    8KB

    Download
  • memory/544-74-0x0000000002440000-0x0000000002441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-78-0x0000000002441000-0x0000000002442000-memory.dmp
    Filesize

    4KB

    Download
  • memory/544-62-0x0000000000000000-mapping.dmp
    Download
  • memory/572-79-0x0000000002410000-0x000000000305A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/572-60-0x0000000000000000-mapping.dmp
    Download
  • memory/572-83-0x0000000002410000-0x000000000305A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/572-82-0x0000000002410000-0x000000000305A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/792-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1076-84-0x0000000000000000-mapping.dmp
    Download
  • memory/1376-75-0x00000000022C0000-0x00000000022C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1376-77-0x00000000022C1000-0x00000000022C2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1376-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1376-81-0x00000000022C2000-0x00000000022C4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1740-59-0x0000000000270000-0x00000000002F2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1740-53-0x0000000000320000-0x0000000000321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1740-56-0x0000000000770000-0x0000000000771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1740-57-0x0000000000270000-0x0000000000271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1740-55-0x00000000765A1000-0x00000000765A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1740-88-0x0000000004400000-0x0000000004436000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1944-87-0x0000000000000000-mapping.dmp
    Download
  • memory/1944-92-0x0000000002431000-0x0000000002432000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1944-91-0x0000000002430000-0x0000000002431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1944-93-0x0000000002432000-0x0000000002434000-memory.dmp
    Filesize

    8KB

    Download