Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 12:26
Static task
static1
Behavioral task
behavioral1
Sample
payment status.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
payment status.exe
Resource
win10v2004-20231127-en
General
-
Target
payment status.exe
-
Size
840KB
-
MD5
aa2bbdd4f76e86b8a34746c29602982e
-
SHA1
65afd6aa0bf71c64cbaa3076dee472d696dd5566
-
SHA256
391085720087ca47539076781ecfb5e4027f3c89bb19097b0c3d9e599cc6b6cd
-
SHA512
c6888740e55c03ab9c494cc0a9e0d7271ecc009393274f332566090c0932ec5848349b803ced84c5f1bdb3a873b739c4b2058971552f195e2c9d5d850fe9135f
-
SSDEEP
12288:S3f5A6IOwgTt0Pkua0p0lZXRYQlBTPNPqt99EUU5kLQTYCS51fn7dyx:YTaslk0l1RYmFqt95dsMCS5l7Mx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Kene123456789 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2668 powershell.exe 2724 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
payment status.exedescription pid process target process PID 1052 wrote to memory of 2724 1052 payment status.exe powershell.exe PID 1052 wrote to memory of 2724 1052 payment status.exe powershell.exe PID 1052 wrote to memory of 2724 1052 payment status.exe powershell.exe PID 1052 wrote to memory of 2724 1052 payment status.exe powershell.exe PID 1052 wrote to memory of 2668 1052 payment status.exe powershell.exe PID 1052 wrote to memory of 2668 1052 payment status.exe powershell.exe PID 1052 wrote to memory of 2668 1052 payment status.exe powershell.exe PID 1052 wrote to memory of 2668 1052 payment status.exe powershell.exe PID 1052 wrote to memory of 1716 1052 payment status.exe schtasks.exe PID 1052 wrote to memory of 1716 1052 payment status.exe schtasks.exe PID 1052 wrote to memory of 1716 1052 payment status.exe schtasks.exe PID 1052 wrote to memory of 1716 1052 payment status.exe schtasks.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe PID 1052 wrote to memory of 2680 1052 payment status.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment status.exe"C:\Users\Admin\AppData\Local\Temp\payment status.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment status.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZPYGuWlgLiAnJ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZPYGuWlgLiAnJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2CB.tmp"2⤵
- Creates scheduled task(s)
PID:1716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d44126ff35532d06f927cb7c8d58656d
SHA1dc876937f2f846ab8395f3b30a54f95193243d45
SHA25667a606b3b177b87935c9c54856b536218fbdbe92ee652abd90b9cc0ba6e9192d
SHA5120fc7ef53e0a163d761deb874010a92cc634d8799c90e2e8449ef7862ff8740401e5ce2673a5f2ec883feab399493ef4180d2934deab87072df1dd0aeb1ac1be9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UNMMMBI3HDP11OHUZ5E9.temp
Filesize7KB
MD5cd0a406283b68d86f0f9758ddab4f382
SHA1e425c11bfc8d078a6ff6390c950813631a3489d1
SHA256c1962d0ee5c65c72fa75af1f161dbd2da414b86075c841fff27aed1afdbc4d08
SHA512aa9860a2a5572b840dfde03990fc03edd2618ad3cbcb332ead5dc3d367ffbbe212b55ced696e43ba13160836ad665d629603889e2088eb97471d28ec525e9ca1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5cd0a406283b68d86f0f9758ddab4f382
SHA1e425c11bfc8d078a6ff6390c950813631a3489d1
SHA256c1962d0ee5c65c72fa75af1f161dbd2da414b86075c841fff27aed1afdbc4d08
SHA512aa9860a2a5572b840dfde03990fc03edd2618ad3cbcb332ead5dc3d367ffbbe212b55ced696e43ba13160836ad665d629603889e2088eb97471d28ec525e9ca1