Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 14:21
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe
Resource
win10v2004-20231127-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe
-
Size
733KB
-
MD5
bb3154deaa6ca591e3fbc500413cd7ac
-
SHA1
c75855e2d2adf272a761256feb89688fb9154dff
-
SHA256
838f85e54553bfa5d9d22fc3a2a4348034ff566ea0c5268853b81ab976ee45de
-
SHA512
58a21c9c32a9f91fb0625c701c4f1447e531624cac71273056c30189a92a795c889198427a54a64921a2d834865578aea4eed02fc5f285d3bd97db6796b84858
-
SSDEEP
12288:KIe6QH05HCmtbC+GBxhBWgxRaA9xEm4E8rQWKnn4lISR3Zg4M:0HACmh7GB3BWdU+e88n4lISR3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Lover boy @123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exedescription pid process target process PID 2248 set thread context of 2832 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exepowershell.exepid process 2832 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe 2832 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe 2848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exepowershell.exedescription pid process Token: SeDebugPrivilege 2832 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe Token: SeDebugPrivilege 2848 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exedescription pid process target process PID 2248 wrote to memory of 2848 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe powershell.exe PID 2248 wrote to memory of 2848 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe powershell.exe PID 2248 wrote to memory of 2848 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe powershell.exe PID 2248 wrote to memory of 2848 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe powershell.exe PID 2248 wrote to memory of 2800 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe schtasks.exe PID 2248 wrote to memory of 2800 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe schtasks.exe PID 2248 wrote to memory of 2800 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe schtasks.exe PID 2248 wrote to memory of 2800 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe schtasks.exe PID 2248 wrote to memory of 2832 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe PID 2248 wrote to memory of 2832 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe PID 2248 wrote to memory of 2832 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe PID 2248 wrote to memory of 2832 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe PID 2248 wrote to memory of 2832 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe PID 2248 wrote to memory of 2832 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe PID 2248 wrote to memory of 2832 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe PID 2248 wrote to memory of 2832 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe PID 2248 wrote to memory of 2832 2248 SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oPrSImVzvH.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oPrSImVzvH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82D6.tmp"2⤵
- Creates scheduled task(s)
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15872.18159.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5267bb59aef77d691ad7af64f0ace801e
SHA1b8ab82460e9787c8d6d6449042188d564cac0840
SHA2568065349217682223c54bae70366158041b9c60adc4c590b07484f98c7fdc76bf
SHA5124fed307e476d6c03bb8ddea39f4099fe873cc0cd6086e5d7824806ddd2de29efa9fb3e5c5331463ae99e8e3d8b0a969b6969f30e5a5f13e62ed75a40afd9fdbc