Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 02:58
Static task
static1
Behavioral task
behavioral1
Sample
PDA STATEMENT.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
PDA STATEMENT.exe
Resource
win10v2004-20231127-en
General
-
Target
PDA STATEMENT.exe
-
Size
517KB
-
MD5
99e05e1f4c3726434476aedddfbe2e3d
-
SHA1
da507c4274759703aa25ca68b9cb01929c129663
-
SHA256
031373e0c892da52577e9eb17ea541a7d874362c9845a3f36ce479c545624e5f
-
SHA512
833328a134028f79afae86426a61abe7ecf1a29e2da39814f3087435d80d19418ffb176b237f9befbbb7f0146f4b7510777ebe35f21052b105b65589fc971186
-
SSDEEP
12288:3GOA/39mIIvL16/WPRAlRHrvXKWdtaFKQ4J66:3GOA/t4jPRAlRLDnIk6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.adityagroup.co - Port:
587 - Username:
[email protected] - Password:
Aditya!@#$%^ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PDA STATEMENT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation PDA STATEMENT.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 64 api.ipify.org 65 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PDA STATEMENT.exedescription pid process target process PID 4156 set thread context of 3592 4156 PDA STATEMENT.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
PDA STATEMENT.exepowershell.exepowershell.exeRegSvcs.exepid process 4156 PDA STATEMENT.exe 4156 PDA STATEMENT.exe 4156 PDA STATEMENT.exe 4156 PDA STATEMENT.exe 4156 PDA STATEMENT.exe 4156 PDA STATEMENT.exe 4156 PDA STATEMENT.exe 4156 PDA STATEMENT.exe 736 powershell.exe 736 powershell.exe 3544 powershell.exe 3544 powershell.exe 4156 PDA STATEMENT.exe 4156 PDA STATEMENT.exe 4156 PDA STATEMENT.exe 3544 powershell.exe 736 powershell.exe 3592 RegSvcs.exe 3592 RegSvcs.exe 3592 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PDA STATEMENT.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4156 PDA STATEMENT.exe Token: SeDebugPrivilege 3544 powershell.exe Token: SeDebugPrivilege 736 powershell.exe Token: SeDebugPrivilege 3592 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
PDA STATEMENT.exedescription pid process target process PID 4156 wrote to memory of 3544 4156 PDA STATEMENT.exe powershell.exe PID 4156 wrote to memory of 3544 4156 PDA STATEMENT.exe powershell.exe PID 4156 wrote to memory of 3544 4156 PDA STATEMENT.exe powershell.exe PID 4156 wrote to memory of 736 4156 PDA STATEMENT.exe powershell.exe PID 4156 wrote to memory of 736 4156 PDA STATEMENT.exe powershell.exe PID 4156 wrote to memory of 736 4156 PDA STATEMENT.exe powershell.exe PID 4156 wrote to memory of 748 4156 PDA STATEMENT.exe schtasks.exe PID 4156 wrote to memory of 748 4156 PDA STATEMENT.exe schtasks.exe PID 4156 wrote to memory of 748 4156 PDA STATEMENT.exe schtasks.exe PID 4156 wrote to memory of 552 4156 PDA STATEMENT.exe RegSvcs.exe PID 4156 wrote to memory of 552 4156 PDA STATEMENT.exe RegSvcs.exe PID 4156 wrote to memory of 552 4156 PDA STATEMENT.exe RegSvcs.exe PID 4156 wrote to memory of 3592 4156 PDA STATEMENT.exe RegSvcs.exe PID 4156 wrote to memory of 3592 4156 PDA STATEMENT.exe RegSvcs.exe PID 4156 wrote to memory of 3592 4156 PDA STATEMENT.exe RegSvcs.exe PID 4156 wrote to memory of 3592 4156 PDA STATEMENT.exe RegSvcs.exe PID 4156 wrote to memory of 3592 4156 PDA STATEMENT.exe RegSvcs.exe PID 4156 wrote to memory of 3592 4156 PDA STATEMENT.exe RegSvcs.exe PID 4156 wrote to memory of 3592 4156 PDA STATEMENT.exe RegSvcs.exe PID 4156 wrote to memory of 3592 4156 PDA STATEMENT.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDA STATEMENT.exe"C:\Users\Admin\AppData\Local\Temp\PDA STATEMENT.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PDA STATEMENT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NCOjhNiQvr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCOjhNiQvr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9575.tmp"2⤵
- Creates scheduled task(s)
PID:748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:552
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5a044709fe551eb99e984f3da6ef268ac
SHA1d0b983bb4a13d38cf94d42e26b8129476495c8f9
SHA256ca130853b7b5f4f645db0d882a3d883ad69e63eabf7c2d46b42ccc8d6332e71f
SHA512c0a44e38ab0970f8b05613d46a9d6f3111e8e92daeadaf32ab5da4d97ba2532f2e7dda311f7169ba44a0c6b5621e5adc0be40e74c670d6a6a50bf2b2c8357c2a