Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:42
Static task
static1
Behavioral task
behavioral1
Sample
purchaseorder.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
purchaseorder.exe
Resource
win10v2004-20231130-en
General
-
Target
purchaseorder.exe
-
Size
1.5MB
-
MD5
5821694b0d82baab7a73cfa23a47743c
-
SHA1
abf662eee6d640057b3a94087145501755e427bf
-
SHA256
214de679f00845231238252dc3295762b74c77b7a2ddd7d7eb38f04321bba1dd
-
SHA512
db09b349540a5ccdbc4b66b368f7bc6f45700b499229aadf1539251861e48383528e236b4a1c80fd102bc69da4b21e8b42411e4c3243ad27860a9c26f08b542a
-
SSDEEP
24576:peDHy9z9rmu9+pJsexc/51hxPINlUI9OiZ1017zUTOqYfIlhChgdgm:ismuOJsOchuUoOj17zUT7YfIlohsgm
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
kex#-rHjHM4qKk52 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
purchaseorder.exedescription pid process target process PID 1112 set thread context of 2696 1112 purchaseorder.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepurchaseorder.exeRegSvcs.exepid process 1740 powershell.exe 2164 powershell.exe 1112 purchaseorder.exe 1112 purchaseorder.exe 2696 RegSvcs.exe 2696 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepurchaseorder.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 1112 purchaseorder.exe Token: SeDebugPrivilege 2696 RegSvcs.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
purchaseorder.exedescription pid process target process PID 1112 wrote to memory of 1740 1112 purchaseorder.exe powershell.exe PID 1112 wrote to memory of 1740 1112 purchaseorder.exe powershell.exe PID 1112 wrote to memory of 1740 1112 purchaseorder.exe powershell.exe PID 1112 wrote to memory of 1740 1112 purchaseorder.exe powershell.exe PID 1112 wrote to memory of 2164 1112 purchaseorder.exe powershell.exe PID 1112 wrote to memory of 2164 1112 purchaseorder.exe powershell.exe PID 1112 wrote to memory of 2164 1112 purchaseorder.exe powershell.exe PID 1112 wrote to memory of 2164 1112 purchaseorder.exe powershell.exe PID 1112 wrote to memory of 872 1112 purchaseorder.exe schtasks.exe PID 1112 wrote to memory of 872 1112 purchaseorder.exe schtasks.exe PID 1112 wrote to memory of 872 1112 purchaseorder.exe schtasks.exe PID 1112 wrote to memory of 872 1112 purchaseorder.exe schtasks.exe PID 1112 wrote to memory of 2552 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2552 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2552 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2552 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2552 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2552 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2552 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe PID 1112 wrote to memory of 2696 1112 purchaseorder.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchaseorder.exe"C:\Users\Admin\AppData\Local\Temp\purchaseorder.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\purchaseorder.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qLKFzy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6114.tmp"2⤵
- Creates scheduled task(s)
PID:872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qLKFzy.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2552
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD508eeaa1980e8e3aed555030172a57fe0
SHA1839a1e65e0da50ce16555ac9891e0f8023db137d
SHA256d26a8bd736969497b1fca5b93371da1f5c9e04f7a8ecfad7ebb36d3eb8b9e88d
SHA512e6422e32c753a6f010fdc4b5385000460a8d3904ccf3b3b349309d46902b96e758b6432fee491a04e0b41681e17d9b6c2cd2046992a82940224e643b1a88777d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RDOZ4S07O2GW367S96ZW.temp
Filesize7KB
MD5931dd554f03a027687be6c9c4bba85ed
SHA15188be2297b15ae59b2e001be859b75fa2f43409
SHA2561d6708aab3a97965ec8b544c11a4433f5876a1629a722d827ef8c3892c2687da
SHA512c7caefe3e1f7d13d63e946526a549f3c341ad008ae35daf66cba33323b9da10be2bfd02d5c1ef907bf412b7cd1bff04a566f299d3536bab964e174b6c17d8ab4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5931dd554f03a027687be6c9c4bba85ed
SHA15188be2297b15ae59b2e001be859b75fa2f43409
SHA2561d6708aab3a97965ec8b544c11a4433f5876a1629a722d827ef8c3892c2687da
SHA512c7caefe3e1f7d13d63e946526a549f3c341ad008ae35daf66cba33323b9da10be2bfd02d5c1ef907bf412b7cd1bff04a566f299d3536bab964e174b6c17d8ab4