Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 10:22
Static task
static1
Behavioral task
behavioral1
Sample
PO. No. 5500371145.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
PO. No. 5500371145.exe
Resource
win10v2004-20231127-en
General
-
Target
PO. No. 5500371145.exe
-
Size
678KB
-
MD5
7f4f6e3789449c78b61f26d679cf5a2f
-
SHA1
377ca37dcf869dbc2c6207a4dd383f85b9f6b65d
-
SHA256
5ff36a084b23be3de1baeb6953f2d0488d8f1ea257d1b83d64ad8fb64bc8dc39
-
SHA512
b9c614984dd6ff1ef21874b8fde9eaedb14d9afe59e4c3c3525eff8212d4f7424366f5c5e95dc004fd9cf7e6bac29e8117b13174ba9ad6e3e9740612c08f4f47
-
SSDEEP
12288:GCB0JiIeS0K36xgYG86Ox2nzNwqIH2kGX3DwxV7ccqidnuB/LhYcvwfqIrs9:l0Jis36aYv6Ox2xkGaxqFmcxa
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.scorpionlogistics.qa - Port:
587 - Username:
[email protected] - Password:
M30009637 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO. No. 5500371145.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe" PO. No. 5500371145.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO. No. 5500371145.exedescription pid process target process PID 2580 set thread context of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
PO. No. 5500371145.exePO. No. 5500371145.exepowershell.exepowershell.exepid process 2580 PO. No. 5500371145.exe 2580 PO. No. 5500371145.exe 2580 PO. No. 5500371145.exe 2580 PO. No. 5500371145.exe 2580 PO. No. 5500371145.exe 2580 PO. No. 5500371145.exe 772 PO. No. 5500371145.exe 772 PO. No. 5500371145.exe 2756 powershell.exe 2820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PO. No. 5500371145.exePO. No. 5500371145.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2580 PO. No. 5500371145.exe Token: SeDebugPrivilege 772 PO. No. 5500371145.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PO. No. 5500371145.exepid process 772 PO. No. 5500371145.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
PO. No. 5500371145.exedescription pid process target process PID 2580 wrote to memory of 2756 2580 PO. No. 5500371145.exe powershell.exe PID 2580 wrote to memory of 2756 2580 PO. No. 5500371145.exe powershell.exe PID 2580 wrote to memory of 2756 2580 PO. No. 5500371145.exe powershell.exe PID 2580 wrote to memory of 2756 2580 PO. No. 5500371145.exe powershell.exe PID 2580 wrote to memory of 2820 2580 PO. No. 5500371145.exe powershell.exe PID 2580 wrote to memory of 2820 2580 PO. No. 5500371145.exe powershell.exe PID 2580 wrote to memory of 2820 2580 PO. No. 5500371145.exe powershell.exe PID 2580 wrote to memory of 2820 2580 PO. No. 5500371145.exe powershell.exe PID 2580 wrote to memory of 2584 2580 PO. No. 5500371145.exe schtasks.exe PID 2580 wrote to memory of 2584 2580 PO. No. 5500371145.exe schtasks.exe PID 2580 wrote to memory of 2584 2580 PO. No. 5500371145.exe schtasks.exe PID 2580 wrote to memory of 2584 2580 PO. No. 5500371145.exe schtasks.exe PID 2580 wrote to memory of 696 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 696 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 696 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 696 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe PID 2580 wrote to memory of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mKYYhRtPkmXrC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKYYhRtPkmXrC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB90.tmp"2⤵
- Creates scheduled task(s)
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"2⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56c9b33ac77657bb5872b2b119363934c
SHA175cba89ba62faef173b9b0f7d043aaaf8877dad8
SHA256e71767bf9ce0fe8f60beb2b04aa95dae4b54cf716c66d6c84dab51921600a002
SHA512dba5d6889658ebc6c989cdb451632e70fb55e76f77e4cb30c2249eb4bfec7ddc52b6cd6bae0f5f08c93390d55dddac0190f71ea9af39cabd6eb48ca00a4200e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SA7HLTGJG1UBB0OTRFSS.temp
Filesize7KB
MD56b31f0680b6d27f3e34f38b3e60e66b5
SHA1236bb0fccd5474342962268c71847deacdf23591
SHA256dd5dbb2eecc9ab5bd179764d3e3b989ed3308c9b59ed52a11de0bf15b94a19e2
SHA512defdd55b79cbb65e407bd87db8f3bd7f914e401ff53c176a4cb87057f314786a1dfd6e9881498eafc6b319bad554efa92150049b1d3b3e52c4742b7136d5e772
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD56b31f0680b6d27f3e34f38b3e60e66b5
SHA1236bb0fccd5474342962268c71847deacdf23591
SHA256dd5dbb2eecc9ab5bd179764d3e3b989ed3308c9b59ed52a11de0bf15b94a19e2
SHA512defdd55b79cbb65e407bd87db8f3bd7f914e401ff53c176a4cb87057f314786a1dfd6e9881498eafc6b319bad554efa92150049b1d3b3e52c4742b7136d5e772