Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 16:55
Static task
static1
Behavioral task
behavioral1
Sample
STATEMENTOFACCOUNT.pdf.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
STATEMENTOFACCOUNT.pdf.exe
Resource
win10v2004-20231127-en
General
-
Target
STATEMENTOFACCOUNT.pdf.exe
-
Size
909KB
-
MD5
0167b00f658c04b84b22927a449106eb
-
SHA1
177e099d9470f371f53d063b9c68703cde2b6977
-
SHA256
1fa497fd2ea5004a12f885d7dac2b47c0494aae2fbe45eb70f96a7f3bb03cbd1
-
SHA512
d4bc3736404708398349efb8f190887c48d7d06f86115a2a51ebd030fea031230892e86614aff3a2bcd75c4fa67d902cfd1ed72a960e7dc41e68f99219d2253f
-
SSDEEP
24576:9Tm4Qyr3+0Dda+2GBxy0QbiU+XL9XKMvO:xm4Y0DtvBQbL8LT
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail5.planetc.net - Port:
587 - Username:
[email protected] - Password:
623434@esit - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
STATEMENTOFACCOUNT.pdf.exedescription pid process target process PID 1988 set thread context of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
STATEMENTOFACCOUNT.pdf.exepowershell.exepowershell.exeRegSvcs.exepid process 1988 STATEMENTOFACCOUNT.pdf.exe 1988 STATEMENTOFACCOUNT.pdf.exe 2672 powershell.exe 2812 powershell.exe 1988 STATEMENTOFACCOUNT.pdf.exe 1988 STATEMENTOFACCOUNT.pdf.exe 2580 RegSvcs.exe 2580 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
STATEMENTOFACCOUNT.pdf.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1988 STATEMENTOFACCOUNT.pdf.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 2580 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
STATEMENTOFACCOUNT.pdf.exedescription pid process target process PID 1988 wrote to memory of 2672 1988 STATEMENTOFACCOUNT.pdf.exe powershell.exe PID 1988 wrote to memory of 2672 1988 STATEMENTOFACCOUNT.pdf.exe powershell.exe PID 1988 wrote to memory of 2672 1988 STATEMENTOFACCOUNT.pdf.exe powershell.exe PID 1988 wrote to memory of 2672 1988 STATEMENTOFACCOUNT.pdf.exe powershell.exe PID 1988 wrote to memory of 2812 1988 STATEMENTOFACCOUNT.pdf.exe powershell.exe PID 1988 wrote to memory of 2812 1988 STATEMENTOFACCOUNT.pdf.exe powershell.exe PID 1988 wrote to memory of 2812 1988 STATEMENTOFACCOUNT.pdf.exe powershell.exe PID 1988 wrote to memory of 2812 1988 STATEMENTOFACCOUNT.pdf.exe powershell.exe PID 1988 wrote to memory of 2844 1988 STATEMENTOFACCOUNT.pdf.exe schtasks.exe PID 1988 wrote to memory of 2844 1988 STATEMENTOFACCOUNT.pdf.exe schtasks.exe PID 1988 wrote to memory of 2844 1988 STATEMENTOFACCOUNT.pdf.exe schtasks.exe PID 1988 wrote to memory of 2844 1988 STATEMENTOFACCOUNT.pdf.exe schtasks.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe PID 1988 wrote to memory of 2580 1988 STATEMENTOFACCOUNT.pdf.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\STATEMENTOFACCOUNT.pdf.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENTOFACCOUNT.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\STATEMENTOFACCOUNT.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gbEFiipzn.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gbEFiipzn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp628A.tmp"2⤵
- Creates scheduled task(s)
PID:2844 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a58c206e6d8e365a0203e5aed2d6322a
SHA15c1f1ffa70f50b0bee25edb5c43fc51954ed5105
SHA2565c6fac2413356a987de55b20ee1238cb2e799ec3caa355546d8bdb5d04f0aa62
SHA5126a1b06f6ebd99b51750184905df26c8633ee73a822a725cfcb0578bf2609701e37ee6d5bb4970469e2783dc50d22c54d205f963e4fbd4fd00f99790b82a3fcca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a61e4dc3c218188abb6eda32a2a2c405
SHA19fe5983597bcdd29de7a5701ba94649ee607c012
SHA25623bdf3bc3562982300969d5fb6941bc3b72d62a60294e7a40a9a2f631ae2819b
SHA5124b40d629799f51ced95da404a584ef97631441ffcd2fa82a552e051db477a8141825a9aa301a00de4dfe168cbde78c22b5d7aa0dce8a7c265fa11bb8a560f707
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a61e4dc3c218188abb6eda32a2a2c405
SHA19fe5983597bcdd29de7a5701ba94649ee607c012
SHA25623bdf3bc3562982300969d5fb6941bc3b72d62a60294e7a40a9a2f631ae2819b
SHA5124b40d629799f51ced95da404a584ef97631441ffcd2fa82a552e051db477a8141825a9aa301a00de4dfe168cbde78c22b5d7aa0dce8a7c265fa11bb8a560f707