Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 12:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Inject4.59820.32080.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Inject4.59820.32080.exe
Resource
win10v2004-20231023-en
General
-
Target
SecuriteInfo.com.Trojan.Inject4.59820.32080.exe
-
Size
914KB
-
MD5
1ff0f2d8838bab1d052908709ae4d37b
-
SHA1
9499f91fdfe212325d190509d357a44d6e2b26fd
-
SHA256
6cb36f0f7e413667ee3a0fbc42e6c95e08853e1025f8382270e63e91dad0a0fb
-
SHA512
513ef448e336b73c7a189d457a8cc32d527c4b668bf2ecbfb460033cdee8ad4f3d6199f729e1e50007e7f1ea9ac2247d9ab5693b8335a2df71ea18d181da5f97
-
SSDEEP
24576:D1qiuGPkRxjps8E+1vQixH9sI5HUW3CM:D1qiuGPOjps1ivsi0W
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mgsales.net - Port:
587 - Username:
[email protected] - Password:
.L&tA{$_f4+t - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Trojan.Inject4.59820.32080.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2880 set thread context of 1436 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3896 1436 WerFault.exe 107 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3120 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 3760 powershell.exe 3760 powershell.exe 1504 powershell.exe 1504 powershell.exe 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 1436 RegSvcs.exe 1436 RegSvcs.exe 1436 RegSvcs.exe 1504 powershell.exe 3760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeDebugPrivilege 1436 RegSvcs.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2880 wrote to memory of 1504 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 99 PID 2880 wrote to memory of 1504 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 99 PID 2880 wrote to memory of 1504 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 99 PID 2880 wrote to memory of 3760 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 101 PID 2880 wrote to memory of 3760 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 101 PID 2880 wrote to memory of 3760 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 101 PID 2880 wrote to memory of 3120 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 103 PID 2880 wrote to memory of 3120 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 103 PID 2880 wrote to memory of 3120 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 103 PID 2880 wrote to memory of 4356 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 105 PID 2880 wrote to memory of 4356 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 105 PID 2880 wrote to memory of 4356 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 105 PID 2880 wrote to memory of 3168 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 106 PID 2880 wrote to memory of 3168 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 106 PID 2880 wrote to memory of 3168 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 106 PID 2880 wrote to memory of 1436 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 107 PID 2880 wrote to memory of 1436 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 107 PID 2880 wrote to memory of 1436 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 107 PID 2880 wrote to memory of 1436 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 107 PID 2880 wrote to memory of 1436 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 107 PID 2880 wrote to memory of 1436 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 107 PID 2880 wrote to memory of 1436 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 107 PID 2880 wrote to memory of 1436 2880 SecuriteInfo.com.Trojan.Inject4.59820.32080.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.32080.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.32080.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.32080.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aCwKisdGFGmp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aCwKisdGFGmp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE83D.tmp"2⤵
- Creates scheduled task(s)
PID:3120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:4356
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:3168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 14243⤵
- Program crash
PID:3896
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1436 -ip 14361⤵PID:660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5d5ca782fab083cd872bc2bf7ff963456
SHA1fa32d03b3db7a46022e63b7930a89cbb1d1f5c19
SHA256e67e5c9464a0896861c7b4547db7081f876c27528f2597087db4aee6d41f54e8
SHA512d23119ac1dda191b0a6c1a7e36cf15970b94c3c4fb32f6c764059d0269c3c618519cd82cb1cc9802148ec7f4ad1e213697a0685b995f57dabc3ae4e20126a2a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5a112c4d8453a0a79bea180de65745731
SHA132e55a623dda0dc05315b11437478a9ce6894364
SHA256f73129ea58640d8a086489070fbf9ac2a2ba96959266ab9cd4788c7f047980d5
SHA512e0cc41143f34cd5cc1da62f043503e4827dd14125fbb1ff445ac894e06a73de635d34fe3b95b757d31ede16967240e58be815a6a33327afae43769fde34014fd