Analysis
-
max time kernel
146s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 07:36
Static task
static1
Behavioral task
behavioral1
Sample
5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
Resource
win10v2004-20231127-en
General
-
Target
5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
-
Size
645KB
-
MD5
c05ec2b49ef0eca110f46b3cd6c6bc9c
-
SHA1
b576618b370fcdd50686873430ae672aeeec981c
-
SHA256
5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b
-
SHA512
ddb547298322ab7dbca8265f8f376467e12327300ff6cb9c666910dfc8abee690c3f4b428aeffa1a3ad9f209fe52119e482d65d93d9ba377e8f4bb5980dcb61a
-
SSDEEP
12288:b+8XG5SFEyclCv8epb+k/35QM9pn3yK/ASiTZTES9+aTyDQTyx:b+8BFslS8ep4M9Z3yK/A1TZASwaTkQTu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.appareljonebd.com - Port:
587 - Username:
[email protected] - Password:
#Admin@1122 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL 1 IoCs
Processes:
5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exepid process 2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org 11 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msbuild.exepid process 2780 msbuild.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exemsbuild.exepid process 2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe 2780 msbuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exedescription pid process target process PID 2412 set thread context of 2780 2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe msbuild.exe -
Drops file in Windows directory 4 IoCs
Processes:
5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exedescription ioc process File created C:\Windows\chondriome\apotekerdisciplenes.lnk 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe File opened for modification C:\Windows\Kogekunsters227\arnement.ini 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe File opened for modification C:\Windows\Fonts\buskvksterne.ini 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe File created C:\Windows\Fonts\nabogrunde\sedimentarily.lnk 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msbuild.exepid process 2780 msbuild.exe 2780 msbuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exepid process 2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
msbuild.exedescription pid process Token: SeDebugPrivilege 2780 msbuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exedescription pid process target process PID 2412 wrote to memory of 2780 2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe msbuild.exe PID 2412 wrote to memory of 2780 2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe msbuild.exe PID 2412 wrote to memory of 2780 2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe msbuild.exe PID 2412 wrote to memory of 2780 2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe msbuild.exe PID 2412 wrote to memory of 2780 2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe msbuild.exe PID 2412 wrote to memory of 2780 2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe msbuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe"C:\Users\Admin\AppData\Local\Temp\5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Users\Admin\AppData\Local\Temp\5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
37B
MD56afbceba786a45c12c432275ca8fa2fd
SHA1a0ba442f9661309d3cd11da7783ee6b2ff8926cd
SHA256c48e9a91c089b7e2bdbdad49e8841ee05d4051bffe2ca304982195ea26b96eb8
SHA512449aaf84e4f5eb18c06ce20bf0a3fadcd59428388cc02f60ca02d268dae61869044b6e65515ec3c3f7a71bdcbc1a689d0897de167f148a31d7d0bd0431c45550
-
Filesize
35B
MD507aa3c5f11b10fbd989d1cd144d9f5ec
SHA11cb0349287f9171642f1dfca482697aebd172cca
SHA2562e9c5f3febbb36f97f3e5da2edc82d49e020b4b36b38faafd121326c8de8e710
SHA512a854cde4122d050363cfcb167c72aa367018835f497b13b4e73536910bcb38bff5ba4261f4075bf96c41c065718fb15d7228c3b59f12c81fb3ea09932f4960b1
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9