Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 02:58
Static task
static1
Behavioral task
behavioral1
Sample
PDA STATEMENT.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
PDA STATEMENT.exe
Resource
win10v2004-20231127-en
General
-
Target
PDA STATEMENT.exe
-
Size
517KB
-
MD5
99e05e1f4c3726434476aedddfbe2e3d
-
SHA1
da507c4274759703aa25ca68b9cb01929c129663
-
SHA256
031373e0c892da52577e9eb17ea541a7d874362c9845a3f36ce479c545624e5f
-
SHA512
833328a134028f79afae86426a61abe7ecf1a29e2da39814f3087435d80d19418ffb176b237f9befbbb7f0146f4b7510777ebe35f21052b105b65589fc971186
-
SSDEEP
12288:3GOA/39mIIvL16/WPRAlRHrvXKWdtaFKQ4J66:3GOA/t4jPRAlRLDnIk6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.adityagroup.co - Port:
587 - Username:
[email protected] - Password:
Aditya!@#$%^ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PDA STATEMENT.exedescription pid process target process PID 2596 set thread context of 2528 2596 PDA STATEMENT.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
PDA STATEMENT.exepowershell.exepowershell.exeRegSvcs.exepid process 2596 PDA STATEMENT.exe 2596 PDA STATEMENT.exe 2596 PDA STATEMENT.exe 2596 PDA STATEMENT.exe 2596 PDA STATEMENT.exe 2596 PDA STATEMENT.exe 2596 PDA STATEMENT.exe 2596 PDA STATEMENT.exe 2968 powershell.exe 2784 powershell.exe 2596 PDA STATEMENT.exe 2596 PDA STATEMENT.exe 2528 RegSvcs.exe 2528 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PDA STATEMENT.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2596 PDA STATEMENT.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 2528 RegSvcs.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
PDA STATEMENT.exedescription pid process target process PID 2596 wrote to memory of 2784 2596 PDA STATEMENT.exe powershell.exe PID 2596 wrote to memory of 2784 2596 PDA STATEMENT.exe powershell.exe PID 2596 wrote to memory of 2784 2596 PDA STATEMENT.exe powershell.exe PID 2596 wrote to memory of 2784 2596 PDA STATEMENT.exe powershell.exe PID 2596 wrote to memory of 2968 2596 PDA STATEMENT.exe powershell.exe PID 2596 wrote to memory of 2968 2596 PDA STATEMENT.exe powershell.exe PID 2596 wrote to memory of 2968 2596 PDA STATEMENT.exe powershell.exe PID 2596 wrote to memory of 2968 2596 PDA STATEMENT.exe powershell.exe PID 2596 wrote to memory of 2312 2596 PDA STATEMENT.exe schtasks.exe PID 2596 wrote to memory of 2312 2596 PDA STATEMENT.exe schtasks.exe PID 2596 wrote to memory of 2312 2596 PDA STATEMENT.exe schtasks.exe PID 2596 wrote to memory of 2312 2596 PDA STATEMENT.exe schtasks.exe PID 2596 wrote to memory of 2512 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2512 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2512 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2512 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2512 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2512 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2512 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe PID 2596 wrote to memory of 2528 2596 PDA STATEMENT.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDA STATEMENT.exe"C:\Users\Admin\AppData\Local\Temp\PDA STATEMENT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PDA STATEMENT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NCOjhNiQvr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCOjhNiQvr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6AB.tmp"2⤵
- Creates scheduled task(s)
PID:2312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2512
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5722c6e4f0519bab2a20d839f43c3adbf
SHA102d9e3eab4a09b97d76d2b6ec360e2d8fa552285
SHA2565c7deb900e88daabc3121a5d378d2e0d40a93bc4a9ff50fd64e0c6cd246d6fcf
SHA512f2b3bce30551902b7f03b4b7123b751c0aa82a34ac6103ae8f91e0dc378ea32477d7790dff09091de7c8214579c82940162a406e19a8e89a2b51b22971b019dc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WXQLW1BPTJIGNLPCW719.temp
Filesize7KB
MD5622e09a41e14c30edce818f37060bb2f
SHA1c6fec47dfbd7ef48c7e9851f541089e24534cac8
SHA2565ffed66a1765846a55f60b1741ed97df1732da17c42c7a8bc127d36a4f5be9b9
SHA51228e58b30cd2978003ede544d9bd16645ef0e49b9aed9090f228c9df7c9cee38b6bc8d65ebe9c3fafcade96e243278480c8d5b31ce818d267a262e9cc12290706
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5622e09a41e14c30edce818f37060bb2f
SHA1c6fec47dfbd7ef48c7e9851f541089e24534cac8
SHA2565ffed66a1765846a55f60b1741ed97df1732da17c42c7a8bc127d36a4f5be9b9
SHA51228e58b30cd2978003ede544d9bd16645ef0e49b9aed9090f228c9df7c9cee38b6bc8d65ebe9c3fafcade96e243278480c8d5b31ce818d267a262e9cc12290706