Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
05/08/2023, 21:21
General
-
Target
New Order PO 208472747_IT.exe
-
Size
1.3MB
-
MD5
c447c561925b77d52242def762ee394b
-
SHA1
ed080f397aacf655e9beb0583646f019e069f91d
-
SHA256
2bd44c7eb0536845a0fa4ec54eaf49c47120c154d5d29ff167c312adc94a60b2
-
SHA512
fe2755a2157f2987231de96b4120f38af8849db21a9bf67fef253be63acfba29a39fae68ddb6a23781018d62cd89ac177dffc6faf7164499e64992571a07b575
-
SSDEEP
24576:45TTngb0u1iILnraOqHz9Yen5f6CDruxp6/:+g+I3+pZ5SCDrCp6/
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
rwziqmgfaoeffcdm - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order PO 208472747_IT.exe"C:\Users\Admin\AppData\Local\Temp\New Order PO 208472747_IT.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB886.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD52c80778fd37cdbf8405a25957b6ef455
SHA117b3b2e30857d9c891eac65d9e3d0d8c249b7f74
SHA2566e05d20e31faa6dac39cab4c3d960f541a7ddfa7dd55d6996985e9ec1855a1fd
SHA5126d9a649c813eb15dc419b25d1d6560a3ae1697931e235098ee4512626d7525c3c32bda57bba50d7c197e56f790e6b761194f319a17ccb9636c64475a86ddcf55
-
Filesize
151B
MD52c80778fd37cdbf8405a25957b6ef455
SHA117b3b2e30857d9c891eac65d9e3d0d8c249b7f74
SHA2566e05d20e31faa6dac39cab4c3d960f541a7ddfa7dd55d6996985e9ec1855a1fd
SHA5126d9a649c813eb15dc419b25d1d6560a3ae1697931e235098ee4512626d7525c3c32bda57bba50d7c197e56f790e6b761194f319a17ccb9636c64475a86ddcf55
-
Filesize
1.3MB
MD5c447c561925b77d52242def762ee394b
SHA1ed080f397aacf655e9beb0583646f019e069f91d
SHA2562bd44c7eb0536845a0fa4ec54eaf49c47120c154d5d29ff167c312adc94a60b2
SHA512fe2755a2157f2987231de96b4120f38af8849db21a9bf67fef253be63acfba29a39fae68ddb6a23781018d62cd89ac177dffc6faf7164499e64992571a07b575
-
Filesize
1.3MB
MD5c447c561925b77d52242def762ee394b
SHA1ed080f397aacf655e9beb0583646f019e069f91d
SHA2562bd44c7eb0536845a0fa4ec54eaf49c47120c154d5d29ff167c312adc94a60b2
SHA512fe2755a2157f2987231de96b4120f38af8849db21a9bf67fef253be63acfba29a39fae68ddb6a23781018d62cd89ac177dffc6faf7164499e64992571a07b575
-
Filesize
1.3MB
MD5c447c561925b77d52242def762ee394b
SHA1ed080f397aacf655e9beb0583646f019e069f91d
SHA2562bd44c7eb0536845a0fa4ec54eaf49c47120c154d5d29ff167c312adc94a60b2
SHA512fe2755a2157f2987231de96b4120f38af8849db21a9bf67fef253be63acfba29a39fae68ddb6a23781018d62cd89ac177dffc6faf7164499e64992571a07b575
-
Filesize
9.9MB
-
Filesize
1.4MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
1.4MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
448KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB