Analysis
-
max time kernel
29s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:18
Static task
static1
Behavioral task
behavioral1
Sample
PDF.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
PDF.exe
Resource
win10v2004-20231201-en
General
-
Target
PDF.exe
-
Size
711KB
-
MD5
72974b75ad00da73e07b976b73c5afb6
-
SHA1
094208c0eedb674553d1b7c0a99e46599d75acff
-
SHA256
faf02d9acd5877e620c4fb200895a1306a555baedc6b5e7072a4928a1a39a20a
-
SHA512
e708b48b2fabbe96eb78e0021dba6acb63078c413a0ad9063f6204c36357a867da9e883e02f7c1def0a5a6ec7a2596cfedda715beb483691b4434725f440d851
-
SSDEEP
12288:j/bwLijBoKwyg+ldzxhPD4eu6fvLSReBFmPbSCcWCODgNjsyrroyVMx:jDKzyjlntS6GReuVvDgNjsyno
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mailo.com - Port:
587 - Username:
[email protected] - Password:
Bignosa1995 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
PDF.exepid process 1244 PDF.exe 1244 PDF.exe 1244 PDF.exe 1244 PDF.exe 1244 PDF.exe 1244 PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PDF.exedescription pid process Token: SeDebugPrivilege 1244 PDF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PDF.exedescription pid process target process PID 1244 wrote to memory of 2436 1244 PDF.exe powershell.exe PID 1244 wrote to memory of 2436 1244 PDF.exe powershell.exe PID 1244 wrote to memory of 2436 1244 PDF.exe powershell.exe PID 1244 wrote to memory of 2436 1244 PDF.exe powershell.exe PID 1244 wrote to memory of 2448 1244 PDF.exe schtasks.exe PID 1244 wrote to memory of 2448 1244 PDF.exe schtasks.exe PID 1244 wrote to memory of 2448 1244 PDF.exe schtasks.exe PID 1244 wrote to memory of 2448 1244 PDF.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDF.exe"C:\Users\Admin\AppData\Local\Temp\PDF.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YBGbQTeOWq.exe"2⤵PID:2436
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YBGbQTeOWq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9DC5.tmp"2⤵
- Creates scheduled task(s)
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\PDF.exe"C:\Users\Admin\AppData\Local\Temp\PDF.exe"2⤵PID:2728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dfcbc3de3b90c15204badab89f3183df
SHA1d33e92a410a8bb0fa853d9ea4ccde1dbfca67adc
SHA256bcdb47bee193c9caa3663029a597ff8e7e79dc471fed015b2b522dcbd952f8dd
SHA5126a2ce94d5f14ce0ed87d8040e91b0b0f716a25b8179a152b70186e9e31f92125a1a96595dd5a6079f94a11156ef0d2736934a1e457ea927da2f8081b9306bf0a