Analysis
-
max time kernel
40s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2023 17:32
Static task
static1
Behavioral task
behavioral1
Sample
YUSVPayment.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
YUSVPayment.exe
Resource
win10v2004-20231127-en
General
-
Target
YUSVPayment.exe
-
Size
841KB
-
MD5
c9586b5ef698248e11c6fc904ccd1e6d
-
SHA1
3b2246ad338738d2d1dba1cbc7a751091149d338
-
SHA256
cde4e54eecb8d93a3bf01b328a33b998ef032becee8b0e375225cbce85c4a548
-
SHA512
114c617845d7061047db47893357e96703d70f576b4cd6d3c9822e94537a6efe8cea56babb22dae0181a0238b7595a49226780113810ad992a4bf1d2da38a2c9
-
SSDEEP
24576:3MPBrU7n0K+4iAVilgobPwXGYfpBhtD/:S1Ug54xQlJc2Y3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
zqamcx.com - Port:
587 - Username:
[email protected] - Password:
Methodman991 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
YUSVPayment.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation YUSVPayment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
YUSVPayment.exepid process 5072 YUSVPayment.exe 5072 YUSVPayment.exe 5072 YUSVPayment.exe 5072 YUSVPayment.exe 5072 YUSVPayment.exe 5072 YUSVPayment.exe 5072 YUSVPayment.exe 5072 YUSVPayment.exe 5072 YUSVPayment.exe 5072 YUSVPayment.exe 5072 YUSVPayment.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YUSVPayment.exedescription pid process Token: SeDebugPrivilege 5072 YUSVPayment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YUSVPayment.exe"C:\Users\Admin\AppData\Local\Temp\YUSVPayment.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\smltCUtWNLO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFFDC.tmp"2⤵
- Creates scheduled task(s)
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\YUSVPayment.exe"C:\Users\Admin\AppData\Local\Temp\YUSVPayment.exe"2⤵PID:2816
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\smltCUtWNLO.exe"2⤵PID:2232
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\YUSVPayment.exe"2⤵PID:3480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD568760c476180677a261333940384d36f
SHA1275e16e185818c80a9efbd8b96f33ae33c6f9601
SHA256a6f2e64be81da6585fbb66607a05be7477047344cec3b5f1fa8615b38fdb43da
SHA512b27dce7a32926419ede1ca22bae1b28378a661efbe2c63720dc2d4c9ed9864404f9988cbc3c51398d716c14128629d378b61b9a4784db3e71df3ece7c276fb86
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5e47c8c1587bea8cc7e713659d14ca6bd
SHA127005c2e20dfff24f55458d89dd95296c2e2ccf1
SHA256b678b7515435522f7dfb5fa44ad28a20b935db9a1856c48ca48c5207207ab59a
SHA5124c7517d8166313bf1f57545ff8b76dc5a5a7a7e3cdc42e12ee4040a63c7d0ee9ff4efcb934ade769cb1d54c12175bb1c04437ced90c6bdecdb4b314d93087a93