Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 10:31
Static task
static1
Behavioral task
behavioral1
Sample
payment status.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
payment status.exe
Resource
win10v2004-20231127-en
General
-
Target
payment status.exe
-
Size
840KB
-
MD5
aa2bbdd4f76e86b8a34746c29602982e
-
SHA1
65afd6aa0bf71c64cbaa3076dee472d696dd5566
-
SHA256
391085720087ca47539076781ecfb5e4027f3c89bb19097b0c3d9e599cc6b6cd
-
SHA512
c6888740e55c03ab9c494cc0a9e0d7271ecc009393274f332566090c0932ec5848349b803ced84c5f1bdb3a873b739c4b2058971552f195e2c9d5d850fe9135f
-
SSDEEP
12288:S3f5A6IOwgTt0Pkua0p0lZXRYQlBTPNPqt99EUU5kLQTYCS51fn7dyx:YTaslk0l1RYmFqt95dsMCS5l7Mx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Kene123456789 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment status.exedescription pid process target process PID 288 set thread context of 2592 288 payment status.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RegSvcs.exepowershell.exepowershell.exepid process 2592 RegSvcs.exe 2592 RegSvcs.exe 2748 powershell.exe 2724 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2592 RegSvcs.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
payment status.exedescription pid process target process PID 288 wrote to memory of 2724 288 payment status.exe powershell.exe PID 288 wrote to memory of 2724 288 payment status.exe powershell.exe PID 288 wrote to memory of 2724 288 payment status.exe powershell.exe PID 288 wrote to memory of 2724 288 payment status.exe powershell.exe PID 288 wrote to memory of 2748 288 payment status.exe powershell.exe PID 288 wrote to memory of 2748 288 payment status.exe powershell.exe PID 288 wrote to memory of 2748 288 payment status.exe powershell.exe PID 288 wrote to memory of 2748 288 payment status.exe powershell.exe PID 288 wrote to memory of 2976 288 payment status.exe schtasks.exe PID 288 wrote to memory of 2976 288 payment status.exe schtasks.exe PID 288 wrote to memory of 2976 288 payment status.exe schtasks.exe PID 288 wrote to memory of 2976 288 payment status.exe schtasks.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe PID 288 wrote to memory of 2592 288 payment status.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment status.exe"C:\Users\Admin\AppData\Local\Temp\payment status.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment status.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZPYGuWlgLiAnJ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZPYGuWlgLiAnJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADEB.tmp"2⤵
- Creates scheduled task(s)
PID:2976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ceb1593cdb9de5c87922fac425a05463
SHA11eb81f312c198184c65cabca5619cbb596321f3e
SHA25671c7a72a8666dc273c35378f7646b041e3f8ffe634158a5dbc5b8588635e4ce4
SHA512cf5eb3c5549c5c6ad527a325ec35f9811c92d9a63c5dc93ade6df70db9ec8a9bb2317534027fd22923886a2664497d39434d2b771da6daafa3feaac20029b8f5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3Q3XMI9I0HITPFV3V4EB.temp
Filesize7KB
MD5eaf2f24b512faa2612ba11f1990b209b
SHA1cf9897df6e3c915c50861123bd29dba7eb8415cb
SHA2561644d026de31d4bcc14b64518facb3a15cd6a9ef95761133adc506e7e2a8f6cb
SHA5127e1b9aab14a14eda3cc85f5c6bbcbc317fbb1ea813eedb0365439ccda6cafc7d0be4893cf1d02c12b9808f9367813c1649b681060ac6c376a51f2b7880135dca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5eaf2f24b512faa2612ba11f1990b209b
SHA1cf9897df6e3c915c50861123bd29dba7eb8415cb
SHA2561644d026de31d4bcc14b64518facb3a15cd6a9ef95761133adc506e7e2a8f6cb
SHA5127e1b9aab14a14eda3cc85f5c6bbcbc317fbb1ea813eedb0365439ccda6cafc7d0be4893cf1d02c12b9808f9367813c1649b681060ac6c376a51f2b7880135dca