Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 08:14
Static task
static1
Behavioral task
behavioral1
Sample
Order 4102672345.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Order 4102672345.exe
Resource
win10v2004-20231127-en
General
-
Target
Order 4102672345.exe
-
Size
639KB
-
MD5
e00ea5e1e1b9b1f8a63cb79f7c870359
-
SHA1
dce9d736e1e7865b925a6e77977440528fc77579
-
SHA256
07463687693e68947b76ead68ae75f764649c80725f4914cde0eaf0d1c4644d7
-
SHA512
427de637a2676e021654b3932095299e6674802db562532802bdcfc1eb7747121ca6608c61b4e4e3388293ae10f8d43ebc6fc34ccd23cdd1caf457cc912ac609
-
SSDEEP
12288:g97QaueH5qXSFVWKmcLht4aNkWOJGx4gW8POHnUbVvaoL:g9ZqAUeht4OxekAUByo
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vrlogistic.com - Port:
587 - Username:
[email protected] - Password:
@dmin@123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order 4102672345.exedescription pid process target process PID 1680 set thread context of 2476 1680 Order 4102672345.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
Order 4102672345.exeRegSvcs.exepowershell.exepowershell.exepid process 1680 Order 4102672345.exe 1680 Order 4102672345.exe 1680 Order 4102672345.exe 1680 Order 4102672345.exe 1680 Order 4102672345.exe 1680 Order 4102672345.exe 1680 Order 4102672345.exe 2476 RegSvcs.exe 2476 RegSvcs.exe 1500 powershell.exe 2844 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Order 4102672345.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1680 Order 4102672345.exe Token: SeDebugPrivilege 2476 RegSvcs.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Order 4102672345.exedescription pid process target process PID 1680 wrote to memory of 2844 1680 Order 4102672345.exe powershell.exe PID 1680 wrote to memory of 2844 1680 Order 4102672345.exe powershell.exe PID 1680 wrote to memory of 2844 1680 Order 4102672345.exe powershell.exe PID 1680 wrote to memory of 2844 1680 Order 4102672345.exe powershell.exe PID 1680 wrote to memory of 1500 1680 Order 4102672345.exe powershell.exe PID 1680 wrote to memory of 1500 1680 Order 4102672345.exe powershell.exe PID 1680 wrote to memory of 1500 1680 Order 4102672345.exe powershell.exe PID 1680 wrote to memory of 1500 1680 Order 4102672345.exe powershell.exe PID 1680 wrote to memory of 2696 1680 Order 4102672345.exe schtasks.exe PID 1680 wrote to memory of 2696 1680 Order 4102672345.exe schtasks.exe PID 1680 wrote to memory of 2696 1680 Order 4102672345.exe schtasks.exe PID 1680 wrote to memory of 2696 1680 Order 4102672345.exe schtasks.exe PID 1680 wrote to memory of 2660 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2660 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2660 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2660 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2660 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2660 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2660 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe PID 1680 wrote to memory of 2476 1680 Order 4102672345.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order 4102672345.exe"C:\Users\Admin\AppData\Local\Temp\Order 4102672345.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order 4102672345.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CombpHV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CombpHV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF43E.tmp"2⤵
- Creates scheduled task(s)
PID:2696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2660
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58a5b558d4aca0cd280f502373053b71a
SHA1e7920b261c654b3a1fc41d13b299cc70cf55c55c
SHA256dd0da8eac67c0d7d9822ba0e3e325e51303abf702ddec63a5e3887c61ca367d3
SHA5121d200b2c837f5eeadb92ecae420d02dae1b172fa5a63d145077296a67b59358a51be1052b715d4b31903d3f18a98158d86c155318eb59c1b72b38c91acc8a024
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KXEWT6HFJ08VNGZ5Q1Z8.temp
Filesize7KB
MD5b492cb409b490ae5c292f5b268c5f171
SHA12c3c378f462c6eb9c0c7a25d7f4f119f589c003f
SHA25682ccfaaa5d7b1d3b5954ffa9b4d25381e9e085e12d4ca71e1b2332ca85b9d502
SHA512cbf08f42fa7a10650e108e8b643646a41aabe3619e9e5bcff129a0ac1bd88e802aead578fbd5f30e4ac8ce17dc77f3bfe612a12c540b1f68cd2f73ccf6e25c96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b492cb409b490ae5c292f5b268c5f171
SHA12c3c378f462c6eb9c0c7a25d7f4f119f589c003f
SHA25682ccfaaa5d7b1d3b5954ffa9b4d25381e9e085e12d4ca71e1b2332ca85b9d502
SHA512cbf08f42fa7a10650e108e8b643646a41aabe3619e9e5bcff129a0ac1bd88e802aead578fbd5f30e4ac8ce17dc77f3bfe612a12c540b1f68cd2f73ccf6e25c96