Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 07:39
Static task
static1
Behavioral task
behavioral1
Sample
123 WHL (ASA route) SSHAS0123860.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
123 WHL (ASA route) SSHAS0123860.exe
Resource
win10v2004-20231127-en
General
-
Target
123 WHL (ASA route) SSHAS0123860.exe
-
Size
691KB
-
MD5
52092f980201ffce0352e5126ed0bf43
-
SHA1
919d960cad9c7495d253f741fe56000bfe11e938
-
SHA256
54aecbaf7821c0ee087cae191865a7df8b58408efbaec7b96b6b0dda54efd32f
-
SHA512
ed8aa398d970628d7e5d759f0567d778eafac99807a70dde406bc0ecd1a1f57c5f13cbb7655053bb088fe81ea0b337becd9b598be49a71fbddd343b9249ed705
-
SSDEEP
12288:fAcopox4QzSIGjRzgx1JtoZX8F8D0m3SqazJb+cgxWZqiwn4DbOKij:zeQSftg3Jto4eSqRcm/iw421
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dynamicconsultinglogistics.ma - Port:
587 - Username:
[email protected] - Password:
Laanaya@2022 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
123 WHL (ASA route) SSHAS0123860.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation 123 WHL (ASA route) SSHAS0123860.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLgJsl = "C:\\Users\\Admin\\AppData\\Roaming\\KLgJsl\\KLgJsl.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
123 WHL (ASA route) SSHAS0123860.exedescription pid process target process PID 2604 set thread context of 5004 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
123 WHL (ASA route) SSHAS0123860.exepowershell.exepowershell.exeRegSvcs.exepid process 2604 123 WHL (ASA route) SSHAS0123860.exe 2604 123 WHL (ASA route) SSHAS0123860.exe 1416 powershell.exe 2408 powershell.exe 2604 123 WHL (ASA route) SSHAS0123860.exe 2604 123 WHL (ASA route) SSHAS0123860.exe 2604 123 WHL (ASA route) SSHAS0123860.exe 5004 RegSvcs.exe 5004 RegSvcs.exe 2408 powershell.exe 1416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
123 WHL (ASA route) SSHAS0123860.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2604 123 WHL (ASA route) SSHAS0123860.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 5004 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
123 WHL (ASA route) SSHAS0123860.exedescription pid process target process PID 2604 wrote to memory of 2408 2604 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 2604 wrote to memory of 2408 2604 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 2604 wrote to memory of 2408 2604 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 2604 wrote to memory of 1416 2604 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 2604 wrote to memory of 1416 2604 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 2604 wrote to memory of 1416 2604 123 WHL (ASA route) SSHAS0123860.exe powershell.exe PID 2604 wrote to memory of 4280 2604 123 WHL (ASA route) SSHAS0123860.exe schtasks.exe PID 2604 wrote to memory of 4280 2604 123 WHL (ASA route) SSHAS0123860.exe schtasks.exe PID 2604 wrote to memory of 4280 2604 123 WHL (ASA route) SSHAS0123860.exe schtasks.exe PID 2604 wrote to memory of 3188 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 2604 wrote to memory of 3188 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 2604 wrote to memory of 3188 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 2604 wrote to memory of 5004 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 2604 wrote to memory of 5004 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 2604 wrote to memory of 5004 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 2604 wrote to memory of 5004 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 2604 wrote to memory of 5004 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 2604 wrote to memory of 5004 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 2604 wrote to memory of 5004 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe PID 2604 wrote to memory of 5004 2604 123 WHL (ASA route) SSHAS0123860.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\123 WHL (ASA route) SSHAS0123860.exe"C:\Users\Admin\AppData\Local\Temp\123 WHL (ASA route) SSHAS0123860.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\123 WHL (ASA route) SSHAS0123860.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IWrcfjTZglaJYu.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IWrcfjTZglaJYu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC49.tmp"2⤵
- Creates scheduled task(s)
PID:4280 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:3188
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD556a1bf2a7869ffe1a5ef5061edd9fd05
SHA1bfd2afeb7c33fd849990e26f4fd0f3cfc1a8fb09
SHA256ef4b383ab0482ad2bfa067ba5d465734a12217a0a6c06556e38f065d2178fa67
SHA51270519556af02ae0422baca6fc5a0d7ab2f5cbce9216eabc8852287c79a2f6b1674c531a3a9eb7582480522f734c2630169f1a02f887545e62d9264188aec1e8c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5407cd3931127d8d198279da713132dc6
SHA1cdedf4a45f355ecd2de31aa86bec4b7bb0795f47
SHA256e8758952248083ed00b7cb2f8949e36f2fa3d807450249bd60892ef86e13e25d
SHA51242374e6694abb77c70c5ba6d67c28d96b95a5c29f21532c619365d93ac3e9024eeb932cad4223ab0d2506a9559e012cd93b0dce6953e785d6fd9c7b82f375708