Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 11:27
Static task
static1
Behavioral task
behavioral1
Sample
payment status.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
payment status.exe
Resource
win10v2004-20231127-en
General
-
Target
payment status.exe
-
Size
840KB
-
MD5
aa2bbdd4f76e86b8a34746c29602982e
-
SHA1
65afd6aa0bf71c64cbaa3076dee472d696dd5566
-
SHA256
391085720087ca47539076781ecfb5e4027f3c89bb19097b0c3d9e599cc6b6cd
-
SHA512
c6888740e55c03ab9c494cc0a9e0d7271ecc009393274f332566090c0932ec5848349b803ced84c5f1bdb3a873b739c4b2058971552f195e2c9d5d850fe9135f
-
SSDEEP
12288:S3f5A6IOwgTt0Pkua0p0lZXRYQlBTPNPqt99EUU5kLQTYCS51fn7dyx:YTaslk0l1RYmFqt95dsMCS5l7Mx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Kene123456789 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment status.exedescription pid process target process PID 2588 set thread context of 2676 2588 payment status.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exepid process 2364 powershell.exe 2716 powershell.exe 2676 RegSvcs.exe 2676 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2676 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
payment status.exedescription pid process target process PID 2588 wrote to memory of 2716 2588 payment status.exe powershell.exe PID 2588 wrote to memory of 2716 2588 payment status.exe powershell.exe PID 2588 wrote to memory of 2716 2588 payment status.exe powershell.exe PID 2588 wrote to memory of 2716 2588 payment status.exe powershell.exe PID 2588 wrote to memory of 2364 2588 payment status.exe powershell.exe PID 2588 wrote to memory of 2364 2588 payment status.exe powershell.exe PID 2588 wrote to memory of 2364 2588 payment status.exe powershell.exe PID 2588 wrote to memory of 2364 2588 payment status.exe powershell.exe PID 2588 wrote to memory of 2772 2588 payment status.exe schtasks.exe PID 2588 wrote to memory of 2772 2588 payment status.exe schtasks.exe PID 2588 wrote to memory of 2772 2588 payment status.exe schtasks.exe PID 2588 wrote to memory of 2772 2588 payment status.exe schtasks.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe PID 2588 wrote to memory of 2676 2588 payment status.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment status.exe"C:\Users\Admin\AppData\Local\Temp\payment status.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment status.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZPYGuWlgLiAnJ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZPYGuWlgLiAnJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB1E.tmp"2⤵
- Creates scheduled task(s)
PID:2772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55d463a2f55eb43ecf633e27239701862
SHA18c138368de03b6881ae4fab446d1cc4fd2904395
SHA256813e073557e6a0505487e0a3e705dd16849f2e52a85fe911fa57622313e825fb
SHA5124d1cdaf0f62c3d27d7c39df9ce04ae0b2ec1d0ded0378ac61640e642f40f3f8c65780f9309b4bc184401cfe272af24b09a7dc2c63f423fd12180be23f5c70c38
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G4N10SVKOR3XI4QMHZYR.temp
Filesize7KB
MD5dd203207541374d46b87b71964ee69aa
SHA1fdaace2ae8c9f11e0f7e5ff311b125097e47b2fd
SHA25601d51ad436e475bc42f0b59af09995a7d87ec3a481fdddff1007ed2385757f38
SHA5120b72406e1ee3ea3d91f50979e55ef3654fbad575454caa3c326ea01ca2a9ca0e70c6c436af000f1ff95be294cbb48f0e46cb48f643b00620a2402673dc5f349b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5dd203207541374d46b87b71964ee69aa
SHA1fdaace2ae8c9f11e0f7e5ff311b125097e47b2fd
SHA25601d51ad436e475bc42f0b59af09995a7d87ec3a481fdddff1007ed2385757f38
SHA5120b72406e1ee3ea3d91f50979e55ef3654fbad575454caa3c326ea01ca2a9ca0e70c6c436af000f1ff95be294cbb48f0e46cb48f643b00620a2402673dc5f349b