Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
17/11/2023, 12:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Inject4.59820.32080.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Inject4.59820.32080.exe
Resource
win10v2004-20231023-en
General
-
Target
SecuriteInfo.com.Trojan.Inject4.59820.32080.exe
-
Size
914KB
-
MD5
1ff0f2d8838bab1d052908709ae4d37b
-
SHA1
9499f91fdfe212325d190509d357a44d6e2b26fd
-
SHA256
6cb36f0f7e413667ee3a0fbc42e6c95e08853e1025f8382270e63e91dad0a0fb
-
SHA512
513ef448e336b73c7a189d457a8cc32d527c4b668bf2ecbfb460033cdee8ad4f3d6199f729e1e50007e7f1ea9ac2247d9ab5693b8335a2df71ea18d181da5f97
-
SSDEEP
24576:D1qiuGPkRxjps8E+1vQixH9sI5HUW3CM:D1qiuGPOjps1ivsi0W
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mgsales.net - Port:
587 - Username:
[email protected] - Password:
.L&tA{$_f4+t - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2960 set thread context of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2748 powershell.exe 2168 powershell.exe 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 1492 RegSvcs.exe 1492 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 1492 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2748 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 29 PID 2960 wrote to memory of 2748 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 29 PID 2960 wrote to memory of 2748 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 29 PID 2960 wrote to memory of 2748 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 29 PID 2960 wrote to memory of 2168 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 31 PID 2960 wrote to memory of 2168 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 31 PID 2960 wrote to memory of 2168 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 31 PID 2960 wrote to memory of 2168 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 31 PID 2960 wrote to memory of 2724 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 32 PID 2960 wrote to memory of 2724 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 32 PID 2960 wrote to memory of 2724 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 32 PID 2960 wrote to memory of 2724 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 32 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35 PID 2960 wrote to memory of 1492 2960 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.32080.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.32080.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.32080.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aCwKisdGFGmp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aCwKisdGFGmp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF26.tmp"2⤵
- Creates scheduled task(s)
PID:2724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57d910efc2d8fd60e0a2ea52734409d49
SHA103158bc1b112b970bd65515a19bc2ae419f0f1c4
SHA256850b128fb088c5dc02fcfc126d3cb5fcdd5b3befd94dd77ad7fd5f292f09b720
SHA5126d8f731a3497d035865166259847b735a5909f451306a5b9c7e2aeda6d32a13c87caf88301b64669f929b4ba15136988bc44ecf83300fb57b6da7c950e6d7c7d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2AIEBTNXH0IGUDSFLOPK.temp
Filesize7KB
MD575e97f654395c92e7ddc6b31a19609c1
SHA1656967dc90c1ccc315beefa1e6701b61311d87c6
SHA256fca9ceb05faceb7c6659f981b84b16f2e2b8aacb9d208d78ef3aaec94f652da7
SHA512e0dc2eb4e3f5eb6fecb5b40e90ceb1c0523eea0d59e2fc2659b7c346801dccaae9a1585adbfbf7f7e8bc983d89d274389975deca87dece0859669dbea09ac3ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD575e97f654395c92e7ddc6b31a19609c1
SHA1656967dc90c1ccc315beefa1e6701b61311d87c6
SHA256fca9ceb05faceb7c6659f981b84b16f2e2b8aacb9d208d78ef3aaec94f652da7
SHA512e0dc2eb4e3f5eb6fecb5b40e90ceb1c0523eea0d59e2fc2659b7c346801dccaae9a1585adbfbf7f7e8bc983d89d274389975deca87dece0859669dbea09ac3ec