Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 16:40
Static task
static1
Behavioral task
behavioral1
Sample
Parking List.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
Parking List.exe
Resource
win10v2004-20231130-en
General
-
Target
Parking List.exe
-
Size
811KB
-
MD5
12ce994a7771f557860a1dd0a6d7fa86
-
SHA1
02fb55374e6fcc35838a86f61be0d1777c5b0ce1
-
SHA256
34cd5a3fe4b96b4fd09ec6ea72ee1cd3924d5a69cd1a27c894c44cc705e6b5f8
-
SHA512
6938c6c7a02b0260fe96563e36b438729b4a0251f59c5a74e1ea0bb845773ec3e6b5c88626984288b84088084c904ffd7f717655d7244bee03449d24b36f6302
-
SSDEEP
24576:o34/up+pJcQ52CON7+xxPBeGVWtbU5N7:o38PJyN7+xWMWtIj
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gimpex-imerys.com - Port:
587 - Username:
[email protected] - Password:
h45ZVRb6(IMF - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Parking List.exedescription pid process target process PID 2084 set thread context of 2756 2084 Parking List.exe Parking List.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Parking List.exeParking List.exepowershell.exepid process 2084 Parking List.exe 2084 Parking List.exe 2084 Parking List.exe 2756 Parking List.exe 2756 Parking List.exe 2764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Parking List.exeParking List.exepowershell.exedescription pid process Token: SeDebugPrivilege 2084 Parking List.exe Token: SeDebugPrivilege 2756 Parking List.exe Token: SeDebugPrivilege 2764 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Parking List.exedescription pid process target process PID 2084 wrote to memory of 2764 2084 Parking List.exe powershell.exe PID 2084 wrote to memory of 2764 2084 Parking List.exe powershell.exe PID 2084 wrote to memory of 2764 2084 Parking List.exe powershell.exe PID 2084 wrote to memory of 2764 2084 Parking List.exe powershell.exe PID 2084 wrote to memory of 2796 2084 Parking List.exe schtasks.exe PID 2084 wrote to memory of 2796 2084 Parking List.exe schtasks.exe PID 2084 wrote to memory of 2796 2084 Parking List.exe schtasks.exe PID 2084 wrote to memory of 2796 2084 Parking List.exe schtasks.exe PID 2084 wrote to memory of 2756 2084 Parking List.exe Parking List.exe PID 2084 wrote to memory of 2756 2084 Parking List.exe Parking List.exe PID 2084 wrote to memory of 2756 2084 Parking List.exe Parking List.exe PID 2084 wrote to memory of 2756 2084 Parking List.exe Parking List.exe PID 2084 wrote to memory of 2756 2084 Parking List.exe Parking List.exe PID 2084 wrote to memory of 2756 2084 Parking List.exe Parking List.exe PID 2084 wrote to memory of 2756 2084 Parking List.exe Parking List.exe PID 2084 wrote to memory of 2756 2084 Parking List.exe Parking List.exe PID 2084 wrote to memory of 2756 2084 Parking List.exe Parking List.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Parking List.exe"C:\Users\Admin\AppData\Local\Temp\Parking List.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cUdojGRmEv.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cUdojGRmEv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82E6.tmp"2⤵
- Creates scheduled task(s)
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\Parking List.exe"C:\Users\Admin\AppData\Local\Temp\Parking List.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d22d82f94d37bd36466608df99fd01cc
SHA1bdc88f459e4f46f14e5718df00945cef07976c7b
SHA256e5b6dad0e0a787e7b39e4199f8c6e99eb01396b7e474e6d909069248199032df
SHA512c7bcb507f5fb0be0bdfe6cd6d58a549864615353e912341a59409fd30beb8a38a6bbf503235bf282714af0d9d814907a1262c7fb4df0e0ba465724a8230fd061