Overview

overview

10

Static

static

1

1030 ITEMS.exe

windows7-x64

10

1030 ITEMS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30-03-2023 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1030 ITEMS.exe

  • Size

    717KB

  • MD5

    6ae2ae07a768233c3713f16a433451f4

  • SHA1

    fbe5e4b1e2f52654bac1a427be8ba21845a55365

  • SHA256

    59c042d992336e5ea4cc98b474e2fb1913cd02101d95f5c04cf0b98184f613cb

  • SHA512

    b168eb501f464d73f32ee96945f8d817ea5b7cf25b17af37d4fec5ab1186673084d5cbeec84db023497fa0e70333b8ba3a981a86f14a1f064e654eb187b605a6

  • SSDEEP

    12288:X7N6XIKwkmD0hSFLi1USDDS5mvZLEib5VKYYqPiB7aLJyNt3PimOMt+yx:xRkqLgtwyLEo5VKyipkJyD3PimXF

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5693068931:AAGSQSNIWDJM1FzeZVNHS020I9wVBrQdkRM/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1030 ITEMS.exe
    "C:\Users\Admin\AppData\Local\Temp\1030 ITEMS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1030 ITEMS.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:468
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HNdkrlsnJ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:696
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNdkrlsnJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE03.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:588
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpBE03.tmp
    Filesize

    1KB

    MD5

    3b4e07a6128361d7755cdd44ebf01903

    SHA1

    81a9a028423573e31f5db0d6dcfc7e2965d212f7

    SHA256

    261b2fe4ed5812ffa98754db51291b20a68c0cc830e0c15e55edcf5ea9bf113d

    SHA512

    2da90091dd7e75ba4edc799b2f11c956a20bcdbc60b859a5e3f7b9f7c6c362a357e6c2c5015d2886a983b34e44db6e52251e66fa49bffafef57304d0476a6388

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\185V5TY7ZYV8B4MOM26R.temp
    Filesize

    7KB

    MD5

    5aba47c5b156d01637478294774a0a78

    SHA1

    70f92519ba85d5373cfc7cdb887f8c53acff56d9

    SHA256

    251021f4ae38905c12b9dc3f90596e252640c9af95bddd1d2b9b9a2503451474

    SHA512

    9cedd2cfcc551502049118982bc976926bc9eb7d9636234530436f8b6a4f1d75eb2972075f91d24154f1b0ce07738b63cd31893e8983fb01bdb02edad46145c7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    5aba47c5b156d01637478294774a0a78

    SHA1

    70f92519ba85d5373cfc7cdb887f8c53acff56d9

    SHA256

    251021f4ae38905c12b9dc3f90596e252640c9af95bddd1d2b9b9a2503451474

    SHA512

    9cedd2cfcc551502049118982bc976926bc9eb7d9636234530436f8b6a4f1d75eb2972075f91d24154f1b0ce07738b63cd31893e8983fb01bdb02edad46145c7

    Download Submit
  • memory/468-87-0x0000000002160000-0x00000000021A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/468-74-0x0000000002160000-0x00000000021A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/696-75-0x0000000000360000-0x00000000003A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1264-59-0x0000000005240000-0x00000000052B8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1264-58-0x00000000003A0000-0x00000000003AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1264-57-0x0000000004E50000-0x0000000004E90000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1264-72-0x0000000004290000-0x00000000042C2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1264-73-0x0000000004E50000-0x0000000004E90000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1264-56-0x0000000000390000-0x000000000039E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1264-54-0x0000000000140000-0x00000000001FA000-memory.dmp
    Filesize

    744KB

    Download
  • memory/1264-55-0x0000000004E50000-0x0000000004E90000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1564-77-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1564-78-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1564-79-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1564-80-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1564-81-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1564-83-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1564-85-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1564-76-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1564-86-0x00000000006A0000-0x00000000006E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1564-105-0x00000000006A0000-0x00000000006E0000-memory.dmp
    Filesize

    256KB

    Download