Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 01:41
Static task
static1
Behavioral task
behavioral1
Sample
03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe
Resource
win10v2004-20231127-en
General
-
Target
03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe
-
Size
859KB
-
MD5
e9e5c3ff2c288652632693cfd0430ed8
-
SHA1
f60a44bf7b3742211f2beda69263fd2d03ddfe30
-
SHA256
03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259
-
SHA512
95564ff00eb160d6302428bc6b8327a657fc1fe29221dbfad692c19f65a14effbefaf9653c57a19b3ffffd07b07e64e5f09b099100811c10599fdc0f21c25f48
-
SSDEEP
24576:FmBLPgdVRTuGQlYPHsKyRlPTGgRvddgw:FeUvRTFQezgRv/
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6637410244:AAGgZSHwlIIsLzowq8HIZ_Iwmc3l0ETb130/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exedescription pid process target process PID 1988 set thread context of 2200 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.exe03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exepid process 3560 powershell.exe 3560 powershell.exe 4508 powershell.exe 4508 powershell.exe 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 2200 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 2200 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 2200 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 3560 powershell.exe 4508 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exe03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exedescription pid process Token: SeDebugPrivilege 4508 powershell.exe Token: SeDebugPrivilege 3560 powershell.exe Token: SeDebugPrivilege 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe Token: SeDebugPrivilege 2200 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exepid process 2200 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exedescription pid process target process PID 1988 wrote to memory of 3560 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe powershell.exe PID 1988 wrote to memory of 3560 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe powershell.exe PID 1988 wrote to memory of 3560 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe powershell.exe PID 1988 wrote to memory of 4508 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe powershell.exe PID 1988 wrote to memory of 4508 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe powershell.exe PID 1988 wrote to memory of 4508 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe powershell.exe PID 1988 wrote to memory of 3408 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe schtasks.exe PID 1988 wrote to memory of 3408 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe schtasks.exe PID 1988 wrote to memory of 3408 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe schtasks.exe PID 1988 wrote to memory of 2900 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe PID 1988 wrote to memory of 2900 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe PID 1988 wrote to memory of 2900 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe PID 1988 wrote to memory of 2200 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe PID 1988 wrote to memory of 2200 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe PID 1988 wrote to memory of 2200 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe PID 1988 wrote to memory of 2200 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe PID 1988 wrote to memory of 2200 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe PID 1988 wrote to memory of 2200 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe PID 1988 wrote to memory of 2200 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe PID 1988 wrote to memory of 2200 1988 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe 03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe"C:\Users\Admin\AppData\Local\Temp\03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VvKFwCGN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvKFwCGN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A0.tmp"2⤵
- Creates scheduled task(s)
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe"C:\Users\Admin\AppData\Local\Temp\03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe"2⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe"C:\Users\Admin\AppData\Local\Temp\03aa19425c8129368ed652eb0de192dea72829c6644ab74e23e0c8a28702b259.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD54763b1fac206a7c8adcbf64dfc91665b
SHA1b934c60eafc8ac271b19cc0688da9f8305060e16
SHA256d113f5acb2fcd2aacc812d83a51cfeb918b696f1b65dc9131749b59bf0dfc1ab
SHA51240cfe2a2ab0acf3b5abd513d84f53ecf1da4bc716add17679b683fde5acf23d524f3247fa50b0c968f5dc72b197c3d138f7f856559391111e143a9a504e53f27
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5f949ba27209e8e25ae1774589f53592b
SHA157a022f28078ce4aa4375692c409e70441b4fe41
SHA256d4ac68631559e12d95a588b402edca7daa47222d0f06b9edd5e0a1f6aa336b06
SHA51271a18ddba0293b7f342350b7e77e2ba5418423b53ba2fb96b2e3b1e4f6dfa81e86fa37b12c0c4efb61c0fe5e977fddfa6f0d6d28011240871fe87d541954ad8f