Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 07:39
Static task
static1
Behavioral task
behavioral1
Sample
123 WHL (ASA route) SSHAS0123860.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
123 WHL (ASA route) SSHAS0123860.exe
Resource
win10v2004-20231127-en
General
-
Target
123 WHL (ASA route) SSHAS0123860.exe
-
Size
691KB
-
MD5
52092f980201ffce0352e5126ed0bf43
-
SHA1
919d960cad9c7495d253f741fe56000bfe11e938
-
SHA256
54aecbaf7821c0ee087cae191865a7df8b58408efbaec7b96b6b0dda54efd32f
-
SHA512
ed8aa398d970628d7e5d759f0567d778eafac99807a70dde406bc0ecd1a1f57c5f13cbb7655053bb088fe81ea0b337becd9b598be49a71fbddd343b9249ed705
-
SSDEEP
12288:fAcopox4QzSIGjRzgx1JtoZX8F8D0m3SqazJb+cgxWZqiwn4DbOKij:zeQSftg3Jto4eSqRcm/iw421
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dynamicconsultinglogistics.ma - Port:
587 - Username:
[email protected] - Password:
Laanaya@2022 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\KLgJsl = "C:\\Users\\Admin\\AppData\\Roaming\\KLgJsl\\KLgJsl.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
123 WHL (ASA route) SSHAS0123860.exedescription pid process target process PID 3052 set thread context of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
123 WHL (ASA route) SSHAS0123860.exepowershell.exepowershell.exeRegSvcs.exepid process 3052 123 WHL (ASA route) SSHAS0123860.exe 3052 123 WHL (ASA route) SSHAS0123860.exe 2264 powershell.exe 2876 powershell.exe 3052 123 WHL (ASA route) SSHAS0123860.exe 2480 RegSvcs.exe 2480 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
123 WHL (ASA route) SSHAS0123860.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3052 123 WHL (ASA route) SSHAS0123860.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2480 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
123 WHL (ASA route) SSHAS0123860.exedescription pid process target process PID 3052 wrote to memory of 2876 3052 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 3052 wrote to memory of 2876 3052 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 3052 wrote to memory of 2876 3052 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 3052 wrote to memory of 2876 3052 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 3052 wrote to memory of 2264 3052 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 3052 wrote to memory of 2264 3052 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 3052 wrote to memory of 2264 3052 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 3052 wrote to memory of 2264 3052 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 3052 wrote to memory of 1428 3052 123 WHL (ASA route) SSHAS0123860.exe schtasks.exe PID 3052 wrote to memory of 1428 3052 123 WHL (ASA route) SSHAS0123860.exe schtasks.exe PID 3052 wrote to memory of 1428 3052 123 WHL (ASA route) SSHAS0123860.exe schtasks.exe PID 3052 wrote to memory of 1428 3052 123 WHL (ASA route) SSHAS0123860.exe schtasks.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 3052 wrote to memory of 2480 3052 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\123 WHL (ASA route) SSHAS0123860.exe"C:\Users\Admin\AppData\Local\Temp\123 WHL (ASA route) SSHAS0123860.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\123 WHL (ASA route) SSHAS0123860.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IWrcfjTZglaJYu.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IWrcfjTZglaJYu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA2C5.tmp"2⤵
- Creates scheduled task(s)
PID:1428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a1464f6a2cba82aabc014b0765854f21
SHA1e31afa29a58a6918599c950e341cb546cb55f75c
SHA256a1955f442ecb0b03873374d0e80b222522963f82a383ed7d8af30840cd9ffe64
SHA512e7bc2dbfa22cfd05b5eb22cfbda17d6f738ba76cc32da88ed3c6142bd184d06d88753f47818dcb1265d5a4a5117c049f557a9ffcb0f98f6beff1deac701bd64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A72GBHSRUUHIBIPSCWAX.temp
Filesize7KB
MD516d01f3edbdbef36bff9b0280d61d573
SHA12a22af885fba9cb9dc7d80b3a4e9d49c18d61908
SHA256da1aae31310e3d5a6968d8cdec702590953cb80748b5f6ac2071a2c52531b952
SHA51270e2de44df8d7bc338e2da3c529272370f83550cfe14256d94285301f23df54db9a56f4ccc56bba0571baf6109fb0cd6d594911e14b55698d541555de85b1139
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD516d01f3edbdbef36bff9b0280d61d573
SHA12a22af885fba9cb9dc7d80b3a4e9d49c18d61908
SHA256da1aae31310e3d5a6968d8cdec702590953cb80748b5f6ac2071a2c52531b952
SHA51270e2de44df8d7bc338e2da3c529272370f83550cfe14256d94285301f23df54db9a56f4ccc56bba0571baf6109fb0cd6d594911e14b55698d541555de85b1139