Analysis
-
max time kernel
107s -
max time network
90s -
platform
windows11-21h2_x64 -
resource
win11-20231128-en -
resource tags
arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-12-2023 02:43
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win11-20231128-en
General
-
Target
tmp.exe
-
Size
644KB
-
MD5
219492f049fb6d224dc912fb1de2d515
-
SHA1
ecfbfb5a6714032f4c811601bf8146c1f580b58f
-
SHA256
6d3e0f4b400eeb388c288d1151c5051224f99497a522424f60d9cdcc63157cab
-
SHA512
7f7cf112ff91e0634728a42937051326c5810ef1fbf1b3b9e8a6847b9f34f2ebdb765e046ee4b61f6d286e75ada5cfd4db45eb876e2eb61e8ca9309844ee2878
-
SSDEEP
12288:8K361h61EWGqLia/AsN3xoiFyit3+hBSEvowv409EVjbEQ8q61:8vY7GUiasSnt3qBSE1ejbEQ8v
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.evantelamin.top - Port:
587 - Username:
[email protected] - Password:
=&8=7!eO;gm@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
tmp.exetmp.exedescription pid process target process PID 4688 set thread context of 3144 4688 tmp.exe tmp.exe PID 1316 set thread context of 2268 1316 tmp.exe tmp.exe -
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2419339351-1576266894-3530880589-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
tmp.exetmp.exetmp.exepid process 4688 tmp.exe 4688 tmp.exe 3144 tmp.exe 3144 tmp.exe 2268 tmp.exe 2268 tmp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tmp.exetmp.exetmp.exedescription pid process Token: SeDebugPrivilege 4688 tmp.exe Token: SeDebugPrivilege 3144 tmp.exe Token: SeDebugPrivilege 2268 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 4744 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
tmp.exetmp.exedescription pid process target process PID 4688 wrote to memory of 2412 4688 tmp.exe tmp.exe PID 4688 wrote to memory of 2412 4688 tmp.exe tmp.exe PID 4688 wrote to memory of 2412 4688 tmp.exe tmp.exe PID 4688 wrote to memory of 3144 4688 tmp.exe tmp.exe PID 4688 wrote to memory of 3144 4688 tmp.exe tmp.exe PID 4688 wrote to memory of 3144 4688 tmp.exe tmp.exe PID 4688 wrote to memory of 3144 4688 tmp.exe tmp.exe PID 4688 wrote to memory of 3144 4688 tmp.exe tmp.exe PID 4688 wrote to memory of 3144 4688 tmp.exe tmp.exe PID 4688 wrote to memory of 3144 4688 tmp.exe tmp.exe PID 4688 wrote to memory of 3144 4688 tmp.exe tmp.exe PID 1316 wrote to memory of 2268 1316 tmp.exe tmp.exe PID 1316 wrote to memory of 2268 1316 tmp.exe tmp.exe PID 1316 wrote to memory of 2268 1316 tmp.exe tmp.exe PID 1316 wrote to memory of 2268 1316 tmp.exe tmp.exe PID 1316 wrote to memory of 2268 1316 tmp.exe tmp.exe PID 1316 wrote to memory of 2268 1316 tmp.exe tmp.exe PID 1316 wrote to memory of 2268 1316 tmp.exe tmp.exe PID 1316 wrote to memory of 2268 1316 tmp.exe tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4744
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4824
-
C:\Users\Admin\Desktop\tmp.exe"C:\Users\Admin\Desktop\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\Desktop\tmp.exe"C:\Users\Admin\Desktop\tmp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52de4f487458ea21fe096352cd17cc6e5
SHA180abf2ba958dc9c4594a02a903d9f4021f6a9bcb
SHA25680ceff0f78098a7cb4f64e19ff26ac298a3664a82c59dfb117aa81a5505aeb2e
SHA512f1bab93dce713a9d3c833da82f74ce796619e0565099ccb5f52a89042f49dad32e2c0a58ff92c8e30598c4d13e55e51d897a39b64a480c9381161612d274d842