Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 14:11
Static task
static1
Behavioral task
behavioral1
Sample
Document.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Document.exe
Resource
win10v2004-20231130-en
General
-
Target
Document.exe
-
Size
826KB
-
MD5
2500527e214b1b6d860596e3abbed1b0
-
SHA1
593e7450a3919c0b421ce49a6191f99b0cbd6d62
-
SHA256
1a8ae7da4909a8b5a5ede48fb365d1c9e6a7297fd2bb2dc4a06951a564a10810
-
SHA512
7f134c4985c3f0d20616516810af08ac676dbb1a7eff2fedcc14b79021334a514d316d8847d103e00281f0b1b956248c552fd236024afc58741aa7622eb772b8
-
SSDEEP
12288:xOueH5q4hYdvkOdAcu/NRRp2FlJ5IQxtQrgLsnzfUKdprVJ:sq13dY/vREIQx6cuzfUK
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
premium184.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
^HPUm$4%eL~b - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Document.exedescription pid process target process PID 1728 set thread context of 2632 1728 Document.exe Document.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Document.exeDocument.exepowershell.exepowershell.exepid process 1728 Document.exe 1728 Document.exe 2632 Document.exe 2632 Document.exe 2692 powershell.exe 2736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Document.exeDocument.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1728 Document.exe Token: SeDebugPrivilege 2632 Document.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Document.exedescription pid process target process PID 1728 wrote to memory of 2692 1728 Document.exe powershell.exe PID 1728 wrote to memory of 2692 1728 Document.exe powershell.exe PID 1728 wrote to memory of 2692 1728 Document.exe powershell.exe PID 1728 wrote to memory of 2692 1728 Document.exe powershell.exe PID 1728 wrote to memory of 2736 1728 Document.exe powershell.exe PID 1728 wrote to memory of 2736 1728 Document.exe powershell.exe PID 1728 wrote to memory of 2736 1728 Document.exe powershell.exe PID 1728 wrote to memory of 2736 1728 Document.exe powershell.exe PID 1728 wrote to memory of 2780 1728 Document.exe schtasks.exe PID 1728 wrote to memory of 2780 1728 Document.exe schtasks.exe PID 1728 wrote to memory of 2780 1728 Document.exe schtasks.exe PID 1728 wrote to memory of 2780 1728 Document.exe schtasks.exe PID 1728 wrote to memory of 2632 1728 Document.exe Document.exe PID 1728 wrote to memory of 2632 1728 Document.exe Document.exe PID 1728 wrote to memory of 2632 1728 Document.exe Document.exe PID 1728 wrote to memory of 2632 1728 Document.exe Document.exe PID 1728 wrote to memory of 2632 1728 Document.exe Document.exe PID 1728 wrote to memory of 2632 1728 Document.exe Document.exe PID 1728 wrote to memory of 2632 1728 Document.exe Document.exe PID 1728 wrote to memory of 2632 1728 Document.exe Document.exe PID 1728 wrote to memory of 2632 1728 Document.exe Document.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.exe"C:\Users\Admin\AppData\Local\Temp\Document.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Document.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AqEzbjLbuKbF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AqEzbjLbuKbF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp"2⤵
- Creates scheduled task(s)
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\Document.exe"C:\Users\Admin\AppData\Local\Temp\Document.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD580b03b23610a21983297e2131d367ace
SHA1d64155a9cfbb3685798a22f0acaaff532c7f68fb
SHA2562a0bd7cc0fd1a83b625e8131a55584d3dc7314db0e5cbcf7b236f9a507f593f2
SHA5127459ab9d521fd4128223303e5a3ff88988e0cc271c32a267505aef11168bf77418f9e97fd1ad72a0bddf921b57f90e2d65e4cbb210498c5fef3e129c5723037f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VUFOAAYOKFS7YI76EWHP.temp
Filesize7KB
MD5ada61c728aa60186b8ba65c53b22bf93
SHA1e13b6435552ab575f1a530ea093c43832dd5f3e1
SHA2562df765cca33713a6eabce5c2b8129d49670a6131ce1cb48c8a7c13b35aa19573
SHA512535c4702a1eff3cead3c69f1880b4846c20909ca6415166879456b300a6abdf253c76eebe552319a467f0a921c3dc444696712e8bd15489046a5b80917b01eb7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5ada61c728aa60186b8ba65c53b22bf93
SHA1e13b6435552ab575f1a530ea093c43832dd5f3e1
SHA2562df765cca33713a6eabce5c2b8129d49670a6131ce1cb48c8a7c13b35aa19573
SHA512535c4702a1eff3cead3c69f1880b4846c20909ca6415166879456b300a6abdf253c76eebe552319a467f0a921c3dc444696712e8bd15489046a5b80917b01eb7