Analysis
-
max time kernel
190s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 18:32
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Resource
win10v2004-20221111-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
-
Size
714KB
-
MD5
65cf34490748f7924db84dc043f5d81e
-
SHA1
1ea50942d4acf0561bd6bcb3fe0195069eb5c259
-
SHA256
96642679196d3f732718eebf2e7970d7eca03ddc4645b3f0292db847ed82b24e
-
SHA512
0366181fd6a174509b244521e01760116d664b15f0c61ba4dbe1d8c2b35febdcdf90836cd553361f0a972acc1ee2477d3ada30f9382dc2d895b12c3ace80c55f
-
SSDEEP
12288:EMFVoh7SJnnlJgcu34IjRN1T05AtGuFr5cE8LHWK:fFV7nAFrjn+5UAvL
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.strictfacilityservices.com - Port:
587 - Username:
accounts@strictfacilityservices.com - Password:
SFS!@#321 - Email To:
guc850155@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exedescription pid process target process PID 2148 set thread context of 4336 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exepid process 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe 4336 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe 4336 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exedescription pid process Token: SeDebugPrivilege 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe Token: SeDebugPrivilege 4336 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exedescription pid process target process PID 2148 wrote to memory of 4128 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe schtasks.exe PID 2148 wrote to memory of 4128 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe schtasks.exe PID 2148 wrote to memory of 4128 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe schtasks.exe PID 2148 wrote to memory of 4336 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID 2148 wrote to memory of 4336 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID 2148 wrote to memory of 4336 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID 2148 wrote to memory of 4336 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID 2148 wrote to memory of 4336 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID 2148 wrote to memory of 4336 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID 2148 wrote to memory of 4336 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID 2148 wrote to memory of 4336 2148 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6C03.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
C:\Users\Admin\AppData\Local\Temp\tmp6C03.tmpFilesize
1KB
MD5617a75e559c6340adb45c2cba7ab962a
SHA1df1b0de12f827a75d0c8b195caddf8fd02d180ba
SHA256ae4a654095c584bdc0ebf979db54b93e5c4055fcbbf988aebbf086e9f50403df
SHA512e65e98a20b43f3a1801711880c15016b4c3270659556c51db4602db40cceb73490592f623ac5c9735f2184cfc6aaff005c5172bb4448b158fe4332ddade56935
-
memory/2148-132-0x0000000000900000-0x00000000009B8000-memory.dmpFilesize
736KB
-
memory/2148-133-0x00000000059E0000-0x0000000005F84000-memory.dmpFilesize
5.6MB
-
memory/2148-134-0x0000000005360000-0x00000000053F2000-memory.dmpFilesize
584KB
-
memory/2148-135-0x0000000005430000-0x00000000054CC000-memory.dmpFilesize
624KB
-
memory/2148-136-0x0000000005350000-0x000000000535A000-memory.dmpFilesize
40KB
-
memory/4128-137-0x0000000000000000-mapping.dmp
-
memory/4336-139-0x0000000000000000-mapping.dmp
-
memory/4336-140-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4336-142-0x0000000005C10000-0x0000000005C76000-memory.dmpFilesize
408KB