Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 02:25
Static task
static1
Behavioral task
behavioral1
Sample
6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
Resource
win10v2004-20231127-en
General
-
Target
6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
-
Size
676KB
-
MD5
86c92625a06644590f8f93f6aa5669db
-
SHA1
eceab13ad2b687af069dd80a60f714dd345d019c
-
SHA256
6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876
-
SHA512
2f04e694216d52ee2ccab165067d14641993d1fc770736d8a813e8cdff82729e1eefc5e8945b6dfd65e9166ba227139b1c35c3742e3e56bcdd5f4392e3a5957d
-
SSDEEP
12288:4v26JAeIIn3gXWRadHKP5jaLEPkyndhv0x5blcAciPGK:G26JA4MW+KP5jaLEHndhvY53DG
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
29ftOO+6H-ivsG5A - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exedescription pid process target process PID 4732 set thread context of 64 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4860 64 WerFault.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exepowershell.exepowershell.exeRegSvcs.exepid process 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe 4316 powershell.exe 632 powershell.exe 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe 64 RegSvcs.exe 64 RegSvcs.exe 632 powershell.exe 4316 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeDebugPrivilege 632 powershell.exe Token: SeDebugPrivilege 64 RegSvcs.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exedescription pid process target process PID 4732 wrote to memory of 632 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe powershell.exe PID 4732 wrote to memory of 632 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe powershell.exe PID 4732 wrote to memory of 632 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe powershell.exe PID 4732 wrote to memory of 4316 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe powershell.exe PID 4732 wrote to memory of 4316 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe powershell.exe PID 4732 wrote to memory of 4316 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe powershell.exe PID 4732 wrote to memory of 3716 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe schtasks.exe PID 4732 wrote to memory of 3716 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe schtasks.exe PID 4732 wrote to memory of 3716 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe schtasks.exe PID 4732 wrote to memory of 3216 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 3216 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 3216 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 3940 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 3940 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 3940 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 64 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 64 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 64 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 64 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 64 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 64 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 64 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe PID 4732 wrote to memory of 64 4732 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe"C:\Users\Admin\AppData\Local\Temp\6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dUtDhaePto.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUtDhaePto" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB3D.tmp"2⤵
- Creates scheduled task(s)
PID:3716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:3216
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:3940
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 14203⤵
- Program crash
PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 64 -ip 641⤵PID:4256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5fb70d01e4e545da7c5624ebae8d57d3b
SHA1b8f49749d7db5861a11d2b15895ca4f54fa7ca77
SHA256dd29a36158b81fa3bf406b3e5c0054500eeab4f157a9e769ac1c61b81c0b771a
SHA512c74ca8b42cd79ff0657af3e3ce4c75d9c4c6a9252615e8529c0b970d6de17ced3ebc26de4b202ab9c74952c1d2a2cd66cbc350e8ad0d499c8edd8b6ab201a0b2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5349e096f819e74cbe24adf2866f7d888
SHA10e2e8f219e68d41343d61c4fb9382a15aedbda5d
SHA256d0fae1ad38ef1bf5565f0a347ba6ab2626c3f8bd5b5ab0b859660db50e000c11
SHA512265bb3af6fb7ff2318460caea6bb90963a8879e82b335f499a775abd4f98aaf6ac3d17b4be9d9c52f7b5b37085cfbcb2f6ae588219ffaa52a1a4c66dde7bb042