Analysis
-
max time kernel
22s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 16:44
Static task
static1
Behavioral task
behavioral1
Sample
requiredandmeasuredvalue.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
requiredandmeasuredvalue.exe
Resource
win10v2004-20231130-en
General
-
Target
requiredandmeasuredvalue.exe
-
Size
1008KB
-
MD5
3521aff033bea60a6e8869378b9d068c
-
SHA1
9d84d60857b499e6c6c13d684e67f11f6d8ca31a
-
SHA256
502d7ec69173cc68e242caf59956a90e519dad247b118c60394be96c9474f2d3
-
SHA512
98f3c653b2a763ffa72aa0873f760e06221428066a2f8dc9fcf4c5ecc620684acbf572518057b6c9eac952587d14f033bc9648531cfb0e97f68be86588310e8b
-
SSDEEP
24576:Bqas+pJyCkF0ODvYHkAduLZgBGROSYOmT7Lmte9:wyJyCkF9VAd4ZgBG4SYOy7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Kene123456789 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
requiredandmeasuredvalue.exedescription pid process target process PID 1956 wrote to memory of 2284 1956 requiredandmeasuredvalue.exe powershell.exe PID 1956 wrote to memory of 2284 1956 requiredandmeasuredvalue.exe powershell.exe PID 1956 wrote to memory of 2284 1956 requiredandmeasuredvalue.exe powershell.exe PID 1956 wrote to memory of 2284 1956 requiredandmeasuredvalue.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\requiredandmeasuredvalue.exe"C:\Users\Admin\AppData\Local\Temp\requiredandmeasuredvalue.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2780
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kVDWrSDRqNaAK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FCC.tmp"2⤵
- Creates scheduled task(s)
PID:2620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kVDWrSDRqNaAK.exe"2⤵PID:2608
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\requiredandmeasuredvalue.exe"2⤵PID:2284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53996848981d83fab72342c9fa10dd03a
SHA18fd2c4cef7ba1a82f636895e4aa6145cafcf93df
SHA256ca8a2c4436c1b0dfceac7c011007578e52fdbe6dba66a34016391a4294a65f3c
SHA5122117ceb112a746d172531c6910a99d2ec871a9f35d6717b1d2ccea054e68f80c591531bef2d1a1e11f84533413cff48674549b946cde38e373701c6bcbef9cec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1MHFR3GMTU3PYV9KR1P9.temp
Filesize7KB
MD5b2bc4265406afa372593f877fba2dc21
SHA126c9c0faba7e42ecca7b38512275b0bb745b0e18
SHA25663e0536df7fa983ad7bc527f00235ab5dcb01a308c065832913dedee12ad93c1
SHA512cd6cd22dd488908926e4f125edaec1128603294f0b9af06c8d0b3f94b859e6e4152cd2de1b77650c8683e97ba799e07bd2cdb5763b01154913b666e11b993797
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b2bc4265406afa372593f877fba2dc21
SHA126c9c0faba7e42ecca7b38512275b0bb745b0e18
SHA25663e0536df7fa983ad7bc527f00235ab5dcb01a308c065832913dedee12ad93c1
SHA512cd6cd22dd488908926e4f125edaec1128603294f0b9af06c8d0b3f94b859e6e4152cd2de1b77650c8683e97ba799e07bd2cdb5763b01154913b666e11b993797