Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 10:13
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe
Resource
win10v2004-20231130-en
General
-
Target
NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe
-
Size
925KB
-
MD5
4df93d338035c6e7d9b2b17c0e38ca26
-
SHA1
107c8691d7483f3a1c3f1d0628ff7cb7c5ce07e5
-
SHA256
506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb
-
SHA512
e829986ab8bb4ea5a979e35cca217fb1e40e6cd4f205dc42b91d015f88bd798e3436b374c51f4ce7adbe5c4d3cc42456d00cf1c9762cd8234986030561ad93d1
-
SSDEEP
12288:2vNIAMRwaeCuGyPGoOz8dcn39o3l5LEmos8x93nT6WP7r9r/+ppppppppppppppZ:6/bCFy6NCgx393+W1q
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
29ftOO+6H-ivsG5A - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exedescription pid process target process PID 2264 set thread context of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exepowershell.exepowershell.exeRegSvcs.exepid process 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe 2464 powershell.exe 1804 powershell.exe 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe 2608 RegSvcs.exe 2608 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 2608 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exedescription pid process target process PID 2264 wrote to memory of 2464 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe powershell.exe PID 2264 wrote to memory of 2464 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe powershell.exe PID 2264 wrote to memory of 2464 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe powershell.exe PID 2264 wrote to memory of 2464 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe powershell.exe PID 2264 wrote to memory of 1804 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe powershell.exe PID 2264 wrote to memory of 1804 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe powershell.exe PID 2264 wrote to memory of 1804 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe powershell.exe PID 2264 wrote to memory of 1804 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe powershell.exe PID 2264 wrote to memory of 2636 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe schtasks.exe PID 2264 wrote to memory of 2636 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe schtasks.exe PID 2264 wrote to memory of 2636 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe schtasks.exe PID 2264 wrote to memory of 2636 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe schtasks.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe PID 2264 wrote to memory of 2608 2264 NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEAS.506acfc8470cafd586c92601b39e4c6993d78c57da5d68740afaee1959681dcb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iofnWdGUBoIjj.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iofnWdGUBoIjj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47BA.tmp"2⤵
- Creates scheduled task(s)
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50a5251a1b08fce7f5b99d967fc4f9cbf
SHA15f5039727a919a515982a3700f94cc5b2e69fd95
SHA2560ed41dbbeeee4ca179520a8c3a1d54eff0126b6e4d6871de7cffdb66c1cac638
SHA512b5d9fde22968f8d5bd3649926eb0c7e72d316c8be55a451cd1957e231135fa012e5fa921fac51a82696d429712ef56665c93a0c0ca5e3079b0da759774926534
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\007FYWA93QFCPQEEU2Q6.temp
Filesize7KB
MD55102ba998455dda3517b33a9328741e8
SHA1859f4f13115fc759cb8aa4347c1b65d93abd4b02
SHA25646b9fb7ba56f599150935f8d9fbaeffb0022a4a4323c700fcffbb225f5450d09
SHA512f6d51b65b3e350a4cb18a795203d6313c127c13e5f4e82a289f17b115daf49f6ba8abb8c785dddfedb6f54ba10caef52b324376e864e098d988e4c86907a0360
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55102ba998455dda3517b33a9328741e8
SHA1859f4f13115fc759cb8aa4347c1b65d93abd4b02
SHA25646b9fb7ba56f599150935f8d9fbaeffb0022a4a4323c700fcffbb225f5450d09
SHA512f6d51b65b3e350a4cb18a795203d6313c127c13e5f4e82a289f17b115daf49f6ba8abb8c785dddfedb6f54ba10caef52b324376e864e098d988e4c86907a0360