Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
03/11/2023, 08:49
General
-
Target
HFQ098654567808.exe
-
Size
560KB
-
MD5
35b36d0ea52a8a62c6f029b3f0bf0935
-
SHA1
7c277fef0d5d26676662943368cdf4de5758d439
-
SHA256
da75778d7ebfe9d20f3f4e0d39691afbbf0aab526d509dae99010c92381c042a
-
SHA512
6be6ad9580ada3faa5c7f32f29e60338fc0696567223aba05f862881022ce23bcd22a6d4debe543dead6be7bd590fcd73a692aa3719ef2c99cfbcde7991eb6da
-
SSDEEP
12288:koWA468sXQx8+92WM+RtCurnVf99v8haK4+:z3useZ9RtVrV918T
Malware Config
Extracted
Protocol: smtp- Host:
mail.daipro.com.mx - Port:
587 - Username:
[email protected] - Password:
Daipro123*%
Extracted
agenttesla
Protocol: smtp- Host:
mail.daipro.com.mx - Port:
587 - Username:
[email protected] - Password:
Daipro123*% - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Windows security modification 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\HFQ098654567808.exe"C:\Users\Admin\AppData\Local\Temp\HFQ098654567808.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HFQ098654567808.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
368KB
-
Filesize
104KB
-
Filesize
576KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
264KB
-
Filesize
256KB
-
Filesize
6.9MB