Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 13:25
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Inject4.59820.14009.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Inject4.59820.14009.exe
Resource
win10v2004-20231130-en
General
-
Target
SecuriteInfo.com.Trojan.Inject4.59820.14009.exe
-
Size
565KB
-
MD5
e45e292ee1302005225b8ee245018cc8
-
SHA1
5dd2b9ee3d84b40e7d4aecc5cc068367729e88ea
-
SHA256
a212cb057ef247f50d13b60031f5ef2527f1d86c79628a7d3d8bc328cbe1ccf6
-
SHA512
a3d6cc6975682344ba35345a19df338ef753055ab3be22f6687c7a090846d980af98dcee76741134ddb82e09b2c48df9d11d1e66bfee6e10d710c146e679621b
-
SSDEEP
12288:h2AQaueH5q8IDUKiAhTM1cJ3lfi5EIKqi+6u4UXrcbyyEAo:h2EqxDXhTM+xlLIpiM4UQ9E
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.adityagroup.co - Port:
587 - Username:
[email protected] - Password:
Aditya!@#$%^ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.59820.14009.exedescription pid process target process PID 2964 set thread context of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.59820.14009.exepowershell.exepowershell.exeRegSvcs.exepid process 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe 2856 powershell.exe 2860 powershell.exe 2932 RegSvcs.exe 2932 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.59820.14009.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe Token: SeDebugPrivilege 2932 RegSvcs.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.59820.14009.exedescription pid process target process PID 2964 wrote to memory of 2860 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe powershell.exe PID 2964 wrote to memory of 2860 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe powershell.exe PID 2964 wrote to memory of 2860 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe powershell.exe PID 2964 wrote to memory of 2860 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe powershell.exe PID 2964 wrote to memory of 2856 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe powershell.exe PID 2964 wrote to memory of 2856 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe powershell.exe PID 2964 wrote to memory of 2856 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe powershell.exe PID 2964 wrote to memory of 2856 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe powershell.exe PID 2964 wrote to memory of 2652 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe schtasks.exe PID 2964 wrote to memory of 2652 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe schtasks.exe PID 2964 wrote to memory of 2652 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe schtasks.exe PID 2964 wrote to memory of 2652 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe schtasks.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe PID 2964 wrote to memory of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.14009.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.14009.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.14009.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UZZTTFhFFwXETf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UZZTTFhFFwXETf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE531.tmp"2⤵
- Creates scheduled task(s)
PID:2652 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e23d6698051f0610a187ecf3142037cd
SHA141335e115a2920dabed8b2e9f6884e82fe302c4b
SHA25635dd6b5e14672be682213d26a0b1bd2df013413eb3a8a7e705d3c196a4ae014c
SHA512df3dae76878f1034762ded142e841a93ace049bf1fc86528bc896c0f28ebc2c4bddab020857627ab9721cd4d89f6b262a4cdfe6f908edc1a69e1ab427a36ce8d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M49WRREB5S3JXZV10VBU.temp
Filesize7KB
MD5648d9f63c977d5c027a2331edf0a46f1
SHA163d15626025cb9b531a6b31834056256e9ca2c7c
SHA256fedb5ed0618b5324a45827226f0de3605f93c55848135ed482a9f30407da2d6a
SHA5122f9dff21721ace01e283f653f34382adaa077984c172386f81cabcd7ddfbd98e898f5a12abde0ddc77b3ccefbd6bbab8deea831fbc7c21e2efecacf501ce983a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5648d9f63c977d5c027a2331edf0a46f1
SHA163d15626025cb9b531a6b31834056256e9ca2c7c
SHA256fedb5ed0618b5324a45827226f0de3605f93c55848135ed482a9f30407da2d6a
SHA5122f9dff21721ace01e283f653f34382adaa077984c172386f81cabcd7ddfbd98e898f5a12abde0ddc77b3ccefbd6bbab8deea831fbc7c21e2efecacf501ce983a