Overview

overview

10

Static

static

3

Purchase O...es.exe

windows7-x64

10

Purchase O...es.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    222s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 05:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order Featured Product Lines.exe

  • Size

    553KB

  • MD5

    2fe5d36f267da6b072f024fc1436eb2d

  • SHA1

    b801d35b137a16645692b86faeaa8ca39c9eda5d

  • SHA256

    91a10a6ddbdd84c582c2cd618a659bee55d9da5f6b8a4b94241069958a710951

  • SHA512

    222903258937feae6e13f8a3f5cbcda069dd4ed213c020866e85f8d7e83fd0f40642acc24ed07dc1d6e3bae7b6928216547590b57908e8050304e1df41c83e8b

  • SSDEEP

    12288:atzX+Uw6SuNKR0f8gr2qgEcXQXX6sCC/4BNdWko72R4f2HPCU:atzDSuNKR0f8gr2q7ssCCAD872RPC

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order Featured Product Lines.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order Featured Product Lines.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gVNdwqtecNzPlw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAADF.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:692
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpAADF.tmp
    Filesize

    1KB

    MD5

    0cf87939ed08d5ff957d15bd973ce501

    SHA1

    0ad8cf844e885e12f872925511fadb8a02c879aa

    SHA256

    29858819628e357c0893817f5e2194f5289c4e95bc251b4ac9379155ee43e239

    SHA512

    b96c1636645e4c37a6391c1d5356236bf42a6ced8aa89eb1f79a12268b369e3d49570f432b15803db62758a5b47fb94c58b1383609d8a3b46a91678a3293480b

    Download Submit

  • memory/2372-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2372-31-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2372-30-0x00000000006B0000-0x00000000006F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2372-29-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2372-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2372-17-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2372-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2372-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2372-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2372-32-0x00000000006B0000-0x00000000006F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2372-13-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2372-15-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2720-6-0x0000000004C30000-0x0000000004C70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2720-9-0x0000000004350000-0x0000000004392000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2720-8-0x0000000006040000-0x00000000060C2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2720-7-0x000000007EF40000-0x000000007EF50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-1-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2720-28-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2720-5-0x00000000004E0000-0x00000000004EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2720-4-0x000000007EF40000-0x000000007EF50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-3-0x0000000004C30000-0x0000000004C70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2720-2-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2720-0-0x0000000000BA0000-0x0000000000C30000-memory.dmp

    Filesize

    576KB

    Download