Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:11
Static task
static1
Behavioral task
behavioral1
Sample
ProductSpecificationDec052023.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
ProductSpecificationDec052023.exe
Resource
win10v2004-20231127-en
General
-
Target
ProductSpecificationDec052023.exe
-
Size
828KB
-
MD5
72c79ce71ca4d2529fb05f1e37341a69
-
SHA1
aaa4e64071d39f2590d1bcb3b758c51d320ece31
-
SHA256
a4d1c2193d3db847e5c7132074a16826beff3d069e1ba83633b8ac7bc5c88f5e
-
SHA512
0e1f9eb942b5409bee74c4aaa3d249a87a88dc72d4aeda2cbe39cde7f428ef07b21e17c9467413826f4b599db744064acec96061dd8c5c3f1ea61f3f98618969
-
SSDEEP
12288:anfKE6jD/62iNG5nF8+pQWMHKMuGxZcx0dZRyKuhqCqPiGIqkHmI:afKtD/61I4HKMuOcexylhqCq5IJHmI
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
zqamcx.com - Port:
587 - Username:
[email protected] - Password:
Methodman991 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ProductSpecificationDec052023.exedescription pid process target process PID 1280 set thread context of 2512 1280 ProductSpecificationDec052023.exe ProductSpecificationDec052023.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
ProductSpecificationDec052023.exeProductSpecificationDec052023.exepowershell.exepowershell.exepid process 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 1280 ProductSpecificationDec052023.exe 2512 ProductSpecificationDec052023.exe 2512 ProductSpecificationDec052023.exe 2684 powershell.exe 2876 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ProductSpecificationDec052023.exeProductSpecificationDec052023.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1280 ProductSpecificationDec052023.exe Token: SeDebugPrivilege 2512 ProductSpecificationDec052023.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ProductSpecificationDec052023.exepid process 2512 ProductSpecificationDec052023.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
ProductSpecificationDec052023.exedescription pid process target process PID 1280 wrote to memory of 2876 1280 ProductSpecificationDec052023.exe powershell.exe PID 1280 wrote to memory of 2876 1280 ProductSpecificationDec052023.exe powershell.exe PID 1280 wrote to memory of 2876 1280 ProductSpecificationDec052023.exe powershell.exe PID 1280 wrote to memory of 2876 1280 ProductSpecificationDec052023.exe powershell.exe PID 1280 wrote to memory of 2684 1280 ProductSpecificationDec052023.exe powershell.exe PID 1280 wrote to memory of 2684 1280 ProductSpecificationDec052023.exe powershell.exe PID 1280 wrote to memory of 2684 1280 ProductSpecificationDec052023.exe powershell.exe PID 1280 wrote to memory of 2684 1280 ProductSpecificationDec052023.exe powershell.exe PID 1280 wrote to memory of 2872 1280 ProductSpecificationDec052023.exe schtasks.exe PID 1280 wrote to memory of 2872 1280 ProductSpecificationDec052023.exe schtasks.exe PID 1280 wrote to memory of 2872 1280 ProductSpecificationDec052023.exe schtasks.exe PID 1280 wrote to memory of 2872 1280 ProductSpecificationDec052023.exe schtasks.exe PID 1280 wrote to memory of 2512 1280 ProductSpecificationDec052023.exe ProductSpecificationDec052023.exe PID 1280 wrote to memory of 2512 1280 ProductSpecificationDec052023.exe ProductSpecificationDec052023.exe PID 1280 wrote to memory of 2512 1280 ProductSpecificationDec052023.exe ProductSpecificationDec052023.exe PID 1280 wrote to memory of 2512 1280 ProductSpecificationDec052023.exe ProductSpecificationDec052023.exe PID 1280 wrote to memory of 2512 1280 ProductSpecificationDec052023.exe ProductSpecificationDec052023.exe PID 1280 wrote to memory of 2512 1280 ProductSpecificationDec052023.exe ProductSpecificationDec052023.exe PID 1280 wrote to memory of 2512 1280 ProductSpecificationDec052023.exe ProductSpecificationDec052023.exe PID 1280 wrote to memory of 2512 1280 ProductSpecificationDec052023.exe ProductSpecificationDec052023.exe PID 1280 wrote to memory of 2512 1280 ProductSpecificationDec052023.exe ProductSpecificationDec052023.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ProductSpecificationDec052023.exe"C:\Users\Admin\AppData\Local\Temp\ProductSpecificationDec052023.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ProductSpecificationDec052023.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tNgQrHLDn.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tNgQrHLDn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9E9.tmp"2⤵
- Creates scheduled task(s)
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\ProductSpecificationDec052023.exe"C:\Users\Admin\AppData\Local\Temp\ProductSpecificationDec052023.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d3f96fac71360bc4cef2ecdc6da07efa
SHA1aed1e42affd5ad2d97ce9e3e948bab323cbc2c0d
SHA2566d638a633685050c35176aaf70e54d65f810e2cc6ecf4835f234e65d34c39fe1
SHA5128a3c51dc5c9f214d8c8f5abb3fc73f0c19d95bb4a6ebdc31cc00d351f806a1199e2ed6babe1fb57691a6bc9385edf814211ba8e7b4bd2810f8c090e935197855
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S4XXQKO93CDRP094IRS2.temp
Filesize7KB
MD54f4557f7b051638b63a2af7e65081f0a
SHA1bb77ec0d89e0b44db4f66c1ff864d1cfe6f9f09b
SHA256de861b300a7942d486840e23cc1fc10bfe8e483a60c6ee3c3b798b34709c076a
SHA512dc3fe733e1e2cc960fcb2453c8e9b8413b3f206b31317c9585bc1733b43d7f0690536376420e9af0e3466bc6a3f4f6c1804da233d13a06281d9a73da92fee408
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD54f4557f7b051638b63a2af7e65081f0a
SHA1bb77ec0d89e0b44db4f66c1ff864d1cfe6f9f09b
SHA256de861b300a7942d486840e23cc1fc10bfe8e483a60c6ee3c3b798b34709c076a
SHA512dc3fe733e1e2cc960fcb2453c8e9b8413b3f206b31317c9585bc1733b43d7f0690536376420e9af0e3466bc6a3f4f6c1804da233d13a06281d9a73da92fee408