Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 02:32
Static task
static1
Behavioral task
behavioral1
Sample
06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe
Resource
win10v2004-20231130-en
General
-
Target
06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe
-
Size
622KB
-
MD5
ee58f332b2d27a1bdd8b0de098e6165c
-
SHA1
d0e9ec92594ef432758e63ab31f7751872c3573c
-
SHA256
06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b
-
SHA512
b9c1c84fad01332771dcdb26c833705eac7e0ec5aed399414e4c4f93a241907279415d2e1dd3acfccd8a9f042918f598377e1138ed87995fa6a2d9b4b13b517f
-
SSDEEP
12288:IqfLYYZXTyX0Tp+fkI5/Gh/tDpWNIIe8frsBP3MKJBPeaHwxX:bXTD+fkjDp+IIeOI539JBPLQ
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6462317492:AAGRLAwoTiA42PAg_wJuGwDb61KKicShMe4/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exedescription pid process target process PID 1240 set thread context of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exepid process 2816 powershell.exe 2020 powershell.exe 2612 RegSvcs.exe 2612 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 2612 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2612 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exedescription pid process target process PID 1240 wrote to memory of 2020 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe powershell.exe PID 1240 wrote to memory of 2020 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe powershell.exe PID 1240 wrote to memory of 2020 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe powershell.exe PID 1240 wrote to memory of 2020 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe powershell.exe PID 1240 wrote to memory of 2816 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe powershell.exe PID 1240 wrote to memory of 2816 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe powershell.exe PID 1240 wrote to memory of 2816 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe powershell.exe PID 1240 wrote to memory of 2816 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe powershell.exe PID 1240 wrote to memory of 2716 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe schtasks.exe PID 1240 wrote to memory of 2716 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe schtasks.exe PID 1240 wrote to memory of 2716 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe schtasks.exe PID 1240 wrote to memory of 2716 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe schtasks.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe PID 1240 wrote to memory of 2612 1240 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe"C:\Users\Admin\AppData\Local\Temp\06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OwXxtNQRoml.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OwXxtNQRoml" /XML "C:\Users\Admin\AppData\Local\Temp\tmp536D.tmp"2⤵
- Creates scheduled task(s)
PID:2716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD529c8f3e0857295b2ac218e8e55571982
SHA1a9ea36b881fa0360a79ca5585037be55662ba967
SHA256d2f1775ba2c470d1c65fc10222b5a892e4d1fce6793c498a291610c862c414ba
SHA5125c3563d82ceb19bb7b3c490f08db1c8ec9f3909171855005c8f079af755b1e9ce4ab9d2f2870c332d20a4b8b6a21bcbe4ebd2cdd0c48562ef3b19556f968dbc9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8H6HMBZAU6OPZYWYKH4D.temp
Filesize7KB
MD5212d88c02dcd3ae3ef88d72434250079
SHA127be53fb307edb2b74bc65c00dc0c94260a2f0d4
SHA2566ac8c14554776126a1a9239c5850d4f7057c40867c6a44d00c1e8e395b97bfba
SHA512cdf273a4f285d37092d5bf44b549c39d737acba17cdb1c3b73b7b27a3862166668edcf08b38a2d63cd3a41216c0f6205734b37e6d5ad6bccc2c8913469d6ef78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5212d88c02dcd3ae3ef88d72434250079
SHA127be53fb307edb2b74bc65c00dc0c94260a2f0d4
SHA2566ac8c14554776126a1a9239c5850d4f7057c40867c6a44d00c1e8e395b97bfba
SHA512cdf273a4f285d37092d5bf44b549c39d737acba17cdb1c3b73b7b27a3862166668edcf08b38a2d63cd3a41216c0f6205734b37e6d5ad6bccc2c8913469d6ef78