Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 01:08
Static task
static1
Behavioral task
behavioral1
Sample
7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe
Resource
win10v2004-20231130-en
General
-
Target
7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe
-
Size
679KB
-
MD5
9a8f8bc5c73734093c89e6e901876684
-
SHA1
b79847a118253f7b1ba318184a0cdf0a7cc6beef
-
SHA256
7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009
-
SHA512
f1467741412654b057c74f9400ae7727ab711af16dcb72028c34c6872043188953b781e3197c8c2d72093b250b329930f90d6f9e9986e82f77573b95bae8622f
-
SSDEEP
12288:oYE6jD/LiDIGncNeiA1lkC3A+j+PmdFxKQnSK1ZpvzbqxlmdzWENz:5tD/a3iQ8mXhjixlmdWEN
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
www.premier-bkk.com - Port:
587 - Username:
[email protected] - Password:
R2USmt6P - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exedescription pid process target process PID 1680 set thread context of 2636 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exepowershell.exepid process 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 2636 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 2636 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 3068 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exepowershell.exedescription pid process Token: SeDebugPrivilege 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe Token: SeDebugPrivilege 2636 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe Token: SeDebugPrivilege 3068 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exepid process 2636 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exedescription pid process target process PID 1680 wrote to memory of 3068 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe powershell.exe PID 1680 wrote to memory of 3068 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe powershell.exe PID 1680 wrote to memory of 3068 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe powershell.exe PID 1680 wrote to memory of 3068 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe powershell.exe PID 1680 wrote to memory of 2124 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe schtasks.exe PID 1680 wrote to memory of 2124 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe schtasks.exe PID 1680 wrote to memory of 2124 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe schtasks.exe PID 1680 wrote to memory of 2124 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe schtasks.exe PID 1680 wrote to memory of 2636 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe PID 1680 wrote to memory of 2636 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe PID 1680 wrote to memory of 2636 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe PID 1680 wrote to memory of 2636 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe PID 1680 wrote to memory of 2636 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe PID 1680 wrote to memory of 2636 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe PID 1680 wrote to memory of 2636 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe PID 1680 wrote to memory of 2636 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe PID 1680 wrote to memory of 2636 1680 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe 7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe"C:\Users\Admin\AppData\Local\Temp\7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\naAsrlkoNLhAiZ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\naAsrlkoNLhAiZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EAC.tmp"2⤵
- Creates scheduled task(s)
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe"C:\Users\Admin\AppData\Local\Temp\7d9526b010f995053419a629cec2bc62574b3e0eea8e41a92ce6dda68122f009.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD574d114af659443b5a40d50edbf064a53
SHA1382ef4cf3ff7e4d14c5c80678c71e9119e3a9125
SHA256fe65d49a8d5293921394bb38b35e8daa9ef17a9901f8654f6ec2a64e659dbb3f
SHA5124baa863df2dba3c5fbf0d1916c26390e6372e349c17896e3a0ce05524b7a24af137756e8ec3a4453cbc7e5ad9ba0413946f3d325f290c037b2fe660ebf6d3527