Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 02:32
Static task
static1
Behavioral task
behavioral1
Sample
PO. No. 5500371145.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
PO. No. 5500371145.exe
Resource
win10v2004-20231127-en
General
-
Target
PO. No. 5500371145.exe
-
Size
678KB
-
MD5
7f4f6e3789449c78b61f26d679cf5a2f
-
SHA1
377ca37dcf869dbc2c6207a4dd383f85b9f6b65d
-
SHA256
5ff36a084b23be3de1baeb6953f2d0488d8f1ea257d1b83d64ad8fb64bc8dc39
-
SHA512
b9c614984dd6ff1ef21874b8fde9eaedb14d9afe59e4c3c3525eff8212d4f7424366f5c5e95dc004fd9cf7e6bac29e8117b13174ba9ad6e3e9740612c08f4f47
-
SSDEEP
12288:GCB0JiIeS0K36xgYG86Ox2nzNwqIH2kGX3DwxV7ccqidnuB/LhYcvwfqIrs9:l0Jis36aYv6Ox2xkGaxqFmcxa
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.scorpionlogistics.qa - Port:
587 - Username:
[email protected] - Password:
M30009637 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO. No. 5500371145.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe" PO. No. 5500371145.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO. No. 5500371145.exedescription pid process target process PID 2552 set thread context of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
PO. No. 5500371145.exePO. No. 5500371145.exepowershell.exepowershell.exepid process 2552 PO. No. 5500371145.exe 2552 PO. No. 5500371145.exe 2944 PO. No. 5500371145.exe 2944 PO. No. 5500371145.exe 2792 powershell.exe 2208 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PO. No. 5500371145.exePO. No. 5500371145.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2552 PO. No. 5500371145.exe Token: SeDebugPrivilege 2944 PO. No. 5500371145.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PO. No. 5500371145.exepid process 2944 PO. No. 5500371145.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
PO. No. 5500371145.exedescription pid process target process PID 2552 wrote to memory of 2208 2552 PO. No. 5500371145.exe powershell.exe PID 2552 wrote to memory of 2208 2552 PO. No. 5500371145.exe powershell.exe PID 2552 wrote to memory of 2208 2552 PO. No. 5500371145.exe powershell.exe PID 2552 wrote to memory of 2208 2552 PO. No. 5500371145.exe powershell.exe PID 2552 wrote to memory of 2792 2552 PO. No. 5500371145.exe powershell.exe PID 2552 wrote to memory of 2792 2552 PO. No. 5500371145.exe powershell.exe PID 2552 wrote to memory of 2792 2552 PO. No. 5500371145.exe powershell.exe PID 2552 wrote to memory of 2792 2552 PO. No. 5500371145.exe powershell.exe PID 2552 wrote to memory of 2992 2552 PO. No. 5500371145.exe schtasks.exe PID 2552 wrote to memory of 2992 2552 PO. No. 5500371145.exe schtasks.exe PID 2552 wrote to memory of 2992 2552 PO. No. 5500371145.exe schtasks.exe PID 2552 wrote to memory of 2992 2552 PO. No. 5500371145.exe schtasks.exe PID 2552 wrote to memory of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2552 wrote to memory of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2552 wrote to memory of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2552 wrote to memory of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2552 wrote to memory of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2552 wrote to memory of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2552 wrote to memory of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2552 wrote to memory of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2552 wrote to memory of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mKYYhRtPkmXrC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKYYhRtPkmXrC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB7BB.tmp"2⤵
- Creates scheduled task(s)
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD528743d2bac6a1fa0132a48c7a214a87e
SHA1e84bfca375933c587e5c1c4102059c5637052f79
SHA256ae0d485be0909951f94e7974317adfb923367bc5cb95cb1a9c446517b85bf21f
SHA5120c94add38d2db66ee39153f4c5598bdf34dd33835df7ae05e254759ee8c21d3a365d42845d46b6c26c71d424ca79771d3d282d7336bb6bda005548538d582280
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVWATAJK5ZSJPTMW4F6D.temp
Filesize7KB
MD5639b2f4b86fe07581c4caa91c1cf0bb2
SHA13416eddb0c8cbafae2130cb860f486bde635360d
SHA256bcd155b897044689ee8493f7e6b55410b5c52b83eeb805751b5c5a3c3c8260da
SHA512b6286388c3ccb5f200c708ea8460c9695d6f3a180c2e1d498adb9df2316b47a7ffe23415db787d05b159dfd8af40c627879c85249141ceae80597a926da40fc8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5639b2f4b86fe07581c4caa91c1cf0bb2
SHA13416eddb0c8cbafae2130cb860f486bde635360d
SHA256bcd155b897044689ee8493f7e6b55410b5c52b83eeb805751b5c5a3c3c8260da
SHA512b6286388c3ccb5f200c708ea8460c9695d6f3a180c2e1d498adb9df2316b47a7ffe23415db787d05b159dfd8af40c627879c85249141ceae80597a926da40fc8