Analysis
-
max time kernel
22s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:30
Static task
static1
Behavioral task
behavioral1
Sample
DHLPAYMENTREQUIRED1003671162.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
DHLPAYMENTREQUIRED1003671162.exe
Resource
win10v2004-20231130-en
General
-
Target
DHLPAYMENTREQUIRED1003671162.exe
-
Size
904KB
-
MD5
b665055897fc3b8a557568abc0d1df34
-
SHA1
e73d473568ddf632d898f286967d26e75b298f3d
-
SHA256
dca9d727db76dbb43b69e5ea1911861bfdc0aa9e13b954da78bcf2a36a92a9b3
-
SHA512
abba46a3db77a20fce957d7d684b17bb75be5aabd3281b36ae9b639ec3df76c38ce9c1e5b2bae9c3f5a87026d3596fa3ce5e46cda2aeb1f3c72db77a886fd488
-
SSDEEP
12288:ahl5nF8/VdqrlbjGIHcSY8/TJGxE05hCr0Dr6zz/rTWrRREeeM5QlaBNdoP7r9ry:0l+qhbjGn+/1Ga05BDm3rYRR+so1q
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
premium184.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
^HPUm$4%eL~b - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DHLPAYMENTREQUIRED1003671162.exepid process 2096 DHLPAYMENTREQUIRED1003671162.exe 2096 DHLPAYMENTREQUIRED1003671162.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHLPAYMENTREQUIRED1003671162.exedescription pid process Token: SeDebugPrivilege 2096 DHLPAYMENTREQUIRED1003671162.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
DHLPAYMENTREQUIRED1003671162.exedescription pid process target process PID 2096 wrote to memory of 2020 2096 DHLPAYMENTREQUIRED1003671162.exe powershell.exe PID 2096 wrote to memory of 2020 2096 DHLPAYMENTREQUIRED1003671162.exe powershell.exe PID 2096 wrote to memory of 2020 2096 DHLPAYMENTREQUIRED1003671162.exe powershell.exe PID 2096 wrote to memory of 2020 2096 DHLPAYMENTREQUIRED1003671162.exe powershell.exe PID 2096 wrote to memory of 2572 2096 DHLPAYMENTREQUIRED1003671162.exe powershell.exe PID 2096 wrote to memory of 2572 2096 DHLPAYMENTREQUIRED1003671162.exe powershell.exe PID 2096 wrote to memory of 2572 2096 DHLPAYMENTREQUIRED1003671162.exe powershell.exe PID 2096 wrote to memory of 2572 2096 DHLPAYMENTREQUIRED1003671162.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHLPAYMENTREQUIRED1003671162.exe"C:\Users\Admin\AppData\Local\Temp\DHLPAYMENTREQUIRED1003671162.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHLPAYMENTREQUIRED1003671162.exe"2⤵PID:2020
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hjaFQBlmQBGbJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF96C.tmp"2⤵
- Creates scheduled task(s)
PID:2908 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hjaFQBlmQBGbJ.exe"2⤵PID:2572
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bc89002b2ec467e3a03b153371f6ff45
SHA1ca98c4674df373b85b44382de9bf3cd71d6bd283
SHA2563d7d5d1a75dd820a050cb4aaf8b8d1ad559a08dec8d389b2061e60796b17204c
SHA512061e845337aade12f3384b15ca61800d1fe241d2f2ab12426e44c12c2dbfc2bfbb2ca2d335bdd4af59d30da5e13e47abd2cc2841bbbcf42b23c5e418fbe3c20e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MKT9RDWHAGYPTC2LDICM.temp
Filesize7KB
MD5813feb1a53ce45574fcd49f31b687859
SHA1894588c2a8d859766603c56b0c60f6800d2204da
SHA2563fc8345fbf1b2766fc627ab36425feb43fab6dc268990cdfdcd56141056fe353
SHA512e61f42997dda8d8c823bad7b7390172bd538c8174ce64881e2b494e78579a45e9b5374a3ddb28bd8f0defb72177f911d8a56c7320aa8d1aeecd219f5255370f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5813feb1a53ce45574fcd49f31b687859
SHA1894588c2a8d859766603c56b0c60f6800d2204da
SHA2563fc8345fbf1b2766fc627ab36425feb43fab6dc268990cdfdcd56141056fe353
SHA512e61f42997dda8d8c823bad7b7390172bd538c8174ce64881e2b494e78579a45e9b5374a3ddb28bd8f0defb72177f911d8a56c7320aa8d1aeecd219f5255370f0