Analysis
-
max time kernel
29s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-04-2023 05:55
Static task
static1
Behavioral task
behavioral1
Sample
Bank Copy.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Bank Copy.exe
Resource
win10v2004-20230221-en
General
-
Target
Bank Copy.exe
-
Size
455KB
-
MD5
2d1b7ae625fc27c4a7dd90333be85783
-
SHA1
bd3a4984c6f9c8d692bed48ca504057fc06e1f31
-
SHA256
89b26887cf47af7365dfd7fb75252fb86badd55bdc8d87829efd7f63803d1029
-
SHA512
e96a2a40d84b04cc9c327694ee4e27bf06937a44737cf928ffdb6b63614f50c5cb9f3b2a8c75e691cb4ecd06420a96b7dc77ed0925278dd0deb9fb9cc45315f6
-
SSDEEP
12288:OuVozphT+QcwZgDRVsq5Luy3izuxwbuEoTrT9Fo:OuVoFhT+TwZRYLueizu33RFo
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.thecanagulf.com - Port:
587 - Username:
[email protected] - Password:
darwesh@CanaGulf - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
Bank Copy.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Bank Copy.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
Bank Copy.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Bank Copy.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Bank Copy.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Bank Copy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bank Copy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1368 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1116 cmd.exe 1116 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Bank Copy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" Bank Copy.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Bank Copy.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Bank Copy.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Bank Copy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1368 set thread context of 1400 1368 svchost.exe Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1632 1400 WerFault.exe Setup.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1316 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Bank Copy.exepowershell.exepid process 1060 Bank Copy.exe 1944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Bank Copy.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 1060 Bank Copy.exe Token: SeDebugPrivilege 1368 svchost.exe Token: SeDebugPrivilege 1944 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
Bank Copy.execmd.execmd.exesvchost.exeSetup.exedescription pid process target process PID 1060 wrote to memory of 776 1060 Bank Copy.exe cmd.exe PID 1060 wrote to memory of 776 1060 Bank Copy.exe cmd.exe PID 1060 wrote to memory of 776 1060 Bank Copy.exe cmd.exe PID 1060 wrote to memory of 1116 1060 Bank Copy.exe cmd.exe PID 1060 wrote to memory of 1116 1060 Bank Copy.exe cmd.exe PID 1060 wrote to memory of 1116 1060 Bank Copy.exe cmd.exe PID 776 wrote to memory of 760 776 cmd.exe schtasks.exe PID 776 wrote to memory of 760 776 cmd.exe schtasks.exe PID 776 wrote to memory of 760 776 cmd.exe schtasks.exe PID 1116 wrote to memory of 1316 1116 cmd.exe timeout.exe PID 1116 wrote to memory of 1316 1116 cmd.exe timeout.exe PID 1116 wrote to memory of 1316 1116 cmd.exe timeout.exe PID 1116 wrote to memory of 1368 1116 cmd.exe svchost.exe PID 1116 wrote to memory of 1368 1116 cmd.exe svchost.exe PID 1116 wrote to memory of 1368 1116 cmd.exe svchost.exe PID 1368 wrote to memory of 1944 1368 svchost.exe powershell.exe PID 1368 wrote to memory of 1944 1368 svchost.exe powershell.exe PID 1368 wrote to memory of 1944 1368 svchost.exe powershell.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1368 wrote to memory of 1400 1368 svchost.exe Setup.exe PID 1400 wrote to memory of 1632 1400 Setup.exe WerFault.exe PID 1400 wrote to memory of 1632 1400 Setup.exe WerFault.exe PID 1400 wrote to memory of 1632 1400 Setup.exe WerFault.exe PID 1400 wrote to memory of 1632 1400 Setup.exe WerFault.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank Copy.exe"C:\Users\Admin\AppData\Local\Temp\Bank Copy.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:760 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1D42.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1316 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 3045⤵
- Program crash
PID:1632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1D42.tmp.batFilesize
151B
MD5bc62d5106ac3bce6e7dfaf49fc02a8c0
SHA1e777bb4b904ffe7892f9cd98c31652b5cba6e702
SHA2567dff43305cb3ae9478bb41e71a8c491cba712c95a78ec581ba0d5cc52a85852b
SHA512249368ca124bd0ee9e2f8ce31ac3af4c257af0927f85f28d14c4a9cecdd9f2489706e6b7c07a605068a5e761df49bc397e3308f0ba3c1c77a30a93a88469a383
-
C:\Users\Admin\AppData\Local\Temp\tmp1D42.tmp.batFilesize
151B
MD5bc62d5106ac3bce6e7dfaf49fc02a8c0
SHA1e777bb4b904ffe7892f9cd98c31652b5cba6e702
SHA2567dff43305cb3ae9478bb41e71a8c491cba712c95a78ec581ba0d5cc52a85852b
SHA512249368ca124bd0ee9e2f8ce31ac3af4c257af0927f85f28d14c4a9cecdd9f2489706e6b7c07a605068a5e761df49bc397e3308f0ba3c1c77a30a93a88469a383
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
455KB
MD52d1b7ae625fc27c4a7dd90333be85783
SHA1bd3a4984c6f9c8d692bed48ca504057fc06e1f31
SHA25689b26887cf47af7365dfd7fb75252fb86badd55bdc8d87829efd7f63803d1029
SHA512e96a2a40d84b04cc9c327694ee4e27bf06937a44737cf928ffdb6b63614f50c5cb9f3b2a8c75e691cb4ecd06420a96b7dc77ed0925278dd0deb9fb9cc45315f6
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
455KB
MD52d1b7ae625fc27c4a7dd90333be85783
SHA1bd3a4984c6f9c8d692bed48ca504057fc06e1f31
SHA25689b26887cf47af7365dfd7fb75252fb86badd55bdc8d87829efd7f63803d1029
SHA512e96a2a40d84b04cc9c327694ee4e27bf06937a44737cf928ffdb6b63614f50c5cb9f3b2a8c75e691cb4ecd06420a96b7dc77ed0925278dd0deb9fb9cc45315f6
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
455KB
MD52d1b7ae625fc27c4a7dd90333be85783
SHA1bd3a4984c6f9c8d692bed48ca504057fc06e1f31
SHA25689b26887cf47af7365dfd7fb75252fb86badd55bdc8d87829efd7f63803d1029
SHA512e96a2a40d84b04cc9c327694ee4e27bf06937a44737cf928ffdb6b63614f50c5cb9f3b2a8c75e691cb4ecd06420a96b7dc77ed0925278dd0deb9fb9cc45315f6
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
455KB
MD52d1b7ae625fc27c4a7dd90333be85783
SHA1bd3a4984c6f9c8d692bed48ca504057fc06e1f31
SHA25689b26887cf47af7365dfd7fb75252fb86badd55bdc8d87829efd7f63803d1029
SHA512e96a2a40d84b04cc9c327694ee4e27bf06937a44737cf928ffdb6b63614f50c5cb9f3b2a8c75e691cb4ecd06420a96b7dc77ed0925278dd0deb9fb9cc45315f6
-
memory/1060-56-0x0000000000590000-0x00000000005FE000-memory.dmpFilesize
440KB
-
memory/1060-55-0x000000001A830000-0x000000001A8B0000-memory.dmpFilesize
512KB
-
memory/1060-54-0x0000000000C70000-0x0000000000CE6000-memory.dmpFilesize
472KB
-
memory/1368-71-0x000000001A980000-0x000000001AA00000-memory.dmpFilesize
512KB
-
memory/1368-70-0x00000000009C0000-0x0000000000A36000-memory.dmpFilesize
472KB
-
memory/1400-80-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1944-77-0x000000001B390000-0x000000001B672000-memory.dmpFilesize
2.9MB
-
memory/1944-76-0x0000000002A50000-0x0000000002AD0000-memory.dmpFilesize
512KB
-
memory/1944-79-0x0000000002A50000-0x0000000002AD0000-memory.dmpFilesize
512KB
-
memory/1944-78-0x0000000002310000-0x0000000002318000-memory.dmpFilesize
32KB
-
memory/1944-81-0x0000000002A54000-0x0000000002A57000-memory.dmpFilesize
12KB
-
memory/1944-82-0x0000000002A5B000-0x0000000002A92000-memory.dmpFilesize
220KB