Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 09:29
Static task
static1
Behavioral task
behavioral1
Sample
required and measured value.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
required and measured value.exe
Resource
win10v2004-20231127-en
General
-
Target
required and measured value.exe
-
Size
1008KB
-
MD5
3521aff033bea60a6e8869378b9d068c
-
SHA1
9d84d60857b499e6c6c13d684e67f11f6d8ca31a
-
SHA256
502d7ec69173cc68e242caf59956a90e519dad247b118c60394be96c9474f2d3
-
SHA512
98f3c653b2a763ffa72aa0873f760e06221428066a2f8dc9fcf4c5ecc620684acbf572518057b6c9eac952587d14f033bc9648531cfb0e97f68be86588310e8b
-
SSDEEP
24576:Bqas+pJyCkF0ODvYHkAduLZgBGROSYOmT7Lmte9:wyJyCkF9VAd4ZgBG4SYOy7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Kene123456789 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
required and measured value.exedescription pid process target process PID 2924 set thread context of 2516 2924 required and measured value.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
required and measured value.exepowershell.exepowershell.exeRegSvcs.exepid process 2924 required and measured value.exe 2924 required and measured value.exe 2604 powershell.exe 1992 powershell.exe 2516 RegSvcs.exe 2516 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
required and measured value.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2924 required and measured value.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 2516 RegSvcs.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
required and measured value.exedescription pid process target process PID 2924 wrote to memory of 1992 2924 required and measured value.exe powershell.exe PID 2924 wrote to memory of 1992 2924 required and measured value.exe powershell.exe PID 2924 wrote to memory of 1992 2924 required and measured value.exe powershell.exe PID 2924 wrote to memory of 1992 2924 required and measured value.exe powershell.exe PID 2924 wrote to memory of 2604 2924 required and measured value.exe powershell.exe PID 2924 wrote to memory of 2604 2924 required and measured value.exe powershell.exe PID 2924 wrote to memory of 2604 2924 required and measured value.exe powershell.exe PID 2924 wrote to memory of 2604 2924 required and measured value.exe powershell.exe PID 2924 wrote to memory of 2672 2924 required and measured value.exe schtasks.exe PID 2924 wrote to memory of 2672 2924 required and measured value.exe schtasks.exe PID 2924 wrote to memory of 2672 2924 required and measured value.exe schtasks.exe PID 2924 wrote to memory of 2672 2924 required and measured value.exe schtasks.exe PID 2924 wrote to memory of 2500 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2500 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2500 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2500 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2500 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2500 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2500 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe PID 2924 wrote to memory of 2516 2924 required and measured value.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\required and measured value.exe"C:\Users\Admin\AppData\Local\Temp\required and measured value.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\required and measured value.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kVDWrSDRqNaAK.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kVDWrSDRqNaAK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6825.tmp"2⤵
- Creates scheduled task(s)
PID:2672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2500
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f679a0b943879776aea3624a4beaf340
SHA13545c3cee6599ef624178f22d29654feae3f8def
SHA256c3796307c8c88f525b0bd739900d88e3c4843e0e3500ad0027d4c31f681b5cd9
SHA512c58eaa29836e3fb755a1e2557228804dfee81500768d9ed415bd501d5b2dd6b393bf61b55e918b0426eeb062185776d5214af9a2a7994ef3b81cabf6fbcbee86
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\83JYW5YCBNBQS6PIXU3V.temp
Filesize7KB
MD5a6bb5eec076091edcd28cc2324bc363b
SHA109d67fa049c07a6541814770b10a04ee8a74a858
SHA256730209f9c07c07e6d633efcc26e07cf06054d8919a7f864d501e2633b745de0a
SHA512b7d23f88325222ac6a3de3cbcfddae467102a0632a9f8e9f02f22f439e76cd5b1881c471e4bcc10ff0de2fdee011d07e8ab65c8693804062b9465adab7c0cb0c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a6bb5eec076091edcd28cc2324bc363b
SHA109d67fa049c07a6541814770b10a04ee8a74a858
SHA256730209f9c07c07e6d633efcc26e07cf06054d8919a7f864d501e2633b745de0a
SHA512b7d23f88325222ac6a3de3cbcfddae467102a0632a9f8e9f02f22f439e76cd5b1881c471e4bcc10ff0de2fdee011d07e8ab65c8693804062b9465adab7c0cb0c