Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 19:28
Static task
static1
Behavioral task
behavioral1
Sample
003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe
Resource
win10v2004-20231127-en
General
-
Target
003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe
-
Size
1.0MB
-
MD5
50fcb0b381ff9bbef33e90561ca1d324
-
SHA1
eb9d093de06bacc8204058ba9ed7c77f2194560c
-
SHA256
eb0c9f7ff7106033740df49533023ab8c93304ec66c76496dde0aab528a7472a
-
SHA512
811dc2da113f2272b4211c558a9d0882743571ff4a3becc2771718e5bc8e15978f1b0efa030e9dd4df2fe77143c96917b62fca552488c13e0b8ad36929f98265
-
SSDEEP
24576:6yBN2mseCYCHXDm/jvyzRT5Fl2ue8+KkewDyTnUdVXR:6ybsNYCHTm+t1r+QmyTn+VB
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.unitechautomations.com - Port:
587 - Username:
[email protected] - Password:
Unitech@123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\fCVSa = "C:\\Users\\Admin\\AppData\\Roaming\\fCVSa\\fCVSa.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exedescription pid process target process PID 2280 set thread context of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exepowershell.exepowershell.exeRegSvcs.exepid process 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2680 powershell.exe 2752 powershell.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe 2700 RegSvcs.exe 2700 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 2700 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exedescription pid process target process PID 2280 wrote to memory of 2752 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe powershell.exe PID 2280 wrote to memory of 2752 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe powershell.exe PID 2280 wrote to memory of 2752 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe powershell.exe PID 2280 wrote to memory of 2752 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe powershell.exe PID 2280 wrote to memory of 2680 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe powershell.exe PID 2280 wrote to memory of 2680 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe powershell.exe PID 2280 wrote to memory of 2680 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe powershell.exe PID 2280 wrote to memory of 2680 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe powershell.exe PID 2280 wrote to memory of 2660 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe schtasks.exe PID 2280 wrote to memory of 2660 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe schtasks.exe PID 2280 wrote to memory of 2660 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe schtasks.exe PID 2280 wrote to memory of 2660 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe schtasks.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe PID 2280 wrote to memory of 2700 2280 003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe"C:\Users\Admin\AppData\Local\Temp\003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\003035044445.AWB.PRG.CHO.M20.20231124.003622.20231124.004549.10532.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EBfNKefJuvwrQK.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EBfNKefJuvwrQK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9740.tmp"2⤵
- Creates scheduled task(s)
PID:2660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c2ec668439eb406a3c59ccbdff240109
SHA1fb11ccf95800c34e3a2bd3cbdb6f7710358e44a2
SHA25631f0e8d3696b93d17f37db7027354a135866bb0d0e20a9a552387d0c7e34f350
SHA5123bec1688c18013790a84017ea392dbc75a704860b14ba20edecd09bcefa11aa8ab24581058318998d1d5b4b4e8e73e38b520cf3935bc05493c2887a1a0d45ef0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XG2CWKNF5BKEJZPYQ2UW.temp
Filesize7KB
MD51b23b8437d7511254104479e312127c1
SHA12792b2148e7010f4a238d86d8fa1b7c69b84789d
SHA25656b3ccbe838effae91a27062f8cda7c22484da16371eaf1233a11009bd71c53d
SHA512027e5cc9151c9ec32b73370d557b1ec0d0f5ec0141ff577a5b3bbbcb65d5e62b496009fd99dbe0b118bd273b20134e1a54ea5412002bec9e95d4278cce63d555
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51b23b8437d7511254104479e312127c1
SHA12792b2148e7010f4a238d86d8fa1b7c69b84789d
SHA25656b3ccbe838effae91a27062f8cda7c22484da16371eaf1233a11009bd71c53d
SHA512027e5cc9151c9ec32b73370d557b1ec0d0f5ec0141ff577a5b3bbbcb65d5e62b496009fd99dbe0b118bd273b20134e1a54ea5412002bec9e95d4278cce63d555