Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 07:30
Static task
static1
Behavioral task
behavioral1
Sample
Document.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Document.exe
Resource
win10v2004-20231130-en
General
-
Target
Document.exe
-
Size
826KB
-
MD5
2500527e214b1b6d860596e3abbed1b0
-
SHA1
593e7450a3919c0b421ce49a6191f99b0cbd6d62
-
SHA256
1a8ae7da4909a8b5a5ede48fb365d1c9e6a7297fd2bb2dc4a06951a564a10810
-
SHA512
7f134c4985c3f0d20616516810af08ac676dbb1a7eff2fedcc14b79021334a514d316d8847d103e00281f0b1b956248c552fd236024afc58741aa7622eb772b8
-
SSDEEP
12288:xOueH5q4hYdvkOdAcu/NRRp2FlJ5IQxtQrgLsnzfUKdprVJ:sq13dY/vREIQx6cuzfUK
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
premium184.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
^HPUm$4%eL~b - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Document.exedescription pid process target process PID 1764 set thread context of 2828 1764 Document.exe Document.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Document.exepowershell.exepowershell.exeDocument.exepid process 1764 Document.exe 2260 powershell.exe 2000 powershell.exe 1764 Document.exe 2828 Document.exe 2828 Document.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Document.exepowershell.exepowershell.exeDocument.exedescription pid process Token: SeDebugPrivilege 1764 Document.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 2828 Document.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Document.exedescription pid process target process PID 1764 wrote to memory of 2000 1764 Document.exe powershell.exe PID 1764 wrote to memory of 2000 1764 Document.exe powershell.exe PID 1764 wrote to memory of 2000 1764 Document.exe powershell.exe PID 1764 wrote to memory of 2000 1764 Document.exe powershell.exe PID 1764 wrote to memory of 2260 1764 Document.exe powershell.exe PID 1764 wrote to memory of 2260 1764 Document.exe powershell.exe PID 1764 wrote to memory of 2260 1764 Document.exe powershell.exe PID 1764 wrote to memory of 2260 1764 Document.exe powershell.exe PID 1764 wrote to memory of 1692 1764 Document.exe schtasks.exe PID 1764 wrote to memory of 1692 1764 Document.exe schtasks.exe PID 1764 wrote to memory of 1692 1764 Document.exe schtasks.exe PID 1764 wrote to memory of 1692 1764 Document.exe schtasks.exe PID 1764 wrote to memory of 2828 1764 Document.exe Document.exe PID 1764 wrote to memory of 2828 1764 Document.exe Document.exe PID 1764 wrote to memory of 2828 1764 Document.exe Document.exe PID 1764 wrote to memory of 2828 1764 Document.exe Document.exe PID 1764 wrote to memory of 2828 1764 Document.exe Document.exe PID 1764 wrote to memory of 2828 1764 Document.exe Document.exe PID 1764 wrote to memory of 2828 1764 Document.exe Document.exe PID 1764 wrote to memory of 2828 1764 Document.exe Document.exe PID 1764 wrote to memory of 2828 1764 Document.exe Document.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.exe"C:\Users\Admin\AppData\Local\Temp\Document.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Document.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AqEzbjLbuKbF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AqEzbjLbuKbF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5486.tmp"2⤵
- Creates scheduled task(s)
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\Document.exe"C:\Users\Admin\AppData\Local\Temp\Document.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a8eff1b2b95d9f1da24b8e18e489a5fd
SHA1c0110b598dd78bd2a22ce98c74a5858fbf582dd0
SHA2568f0a8e686b7f5d277037bd3e41d776df105fe90ae29847db0c484a1253cc053e
SHA512b8b2c7d6a5be1446e3ee3303cba78c0c52eadbcbc1c5efa1c85ffb84ed293c72755069cd240101ee57abfb300f41c785b6bb2f2aa0e485d9f55a27eb4050636c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9J8NSM7EVEV7GONVNET1.temp
Filesize7KB
MD594568cd003519771ab4086619d4685d3
SHA12d034201594767ce8198ec706719fa659029b7cf
SHA2563ce2c4c1662cd6bec5eba3d66fa266eea3fddd5a1e32b7edc8b13fff13960f70
SHA51241de5b7df9be9bb1b31b71bf63fc0ac74384ef72cc8b9f0679bd1d7c68787fc6511ff4def1afd348f0ef309d0caf88374a3ea8cf5dd5f09e0f0d88798a1f058b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD594568cd003519771ab4086619d4685d3
SHA12d034201594767ce8198ec706719fa659029b7cf
SHA2563ce2c4c1662cd6bec5eba3d66fa266eea3fddd5a1e32b7edc8b13fff13960f70
SHA51241de5b7df9be9bb1b31b71bf63fc0ac74384ef72cc8b9f0679bd1d7c68787fc6511ff4def1afd348f0ef309d0caf88374a3ea8cf5dd5f09e0f0d88798a1f058b