Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 17:07
Static task
static1
Behavioral task
behavioral1
Sample
payment status.pdf.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
payment status.pdf.exe
Resource
win10v2004-20231201-en
General
-
Target
payment status.pdf.exe
-
Size
1020KB
-
MD5
95db39b63d249c820c8f4049e0f6cb47
-
SHA1
c7aea8439dc96bdbedb2f6c132ec3507818b66c4
-
SHA256
411b46ed90780c211a99c7b85b753aade4eb1d5e63f3172f0a8149edf109237a
-
SHA512
1bfe8a034f2411498768819e2c4511f657512cf8fe51c7f868557e7a1e507ca08f514a01433261b5116232886546732151c1b1f17f7af742761f2ff3afbeab06
-
SSDEEP
24576:HR34/up+pJCy9lInPiYgpcU7GPm8UXYz1q:x38PJCQ3IPqXV
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
kex#-rHjHM4qKk52 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment status.pdf.exedescription pid process target process PID 1744 set thread context of 2620 1744 payment status.pdf.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exepid process 2688 powershell.exe 2836 powershell.exe 2620 RegSvcs.exe 2620 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 2620 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
payment status.pdf.exedescription pid process target process PID 1744 wrote to memory of 2836 1744 payment status.pdf.exe powershell.exe PID 1744 wrote to memory of 2836 1744 payment status.pdf.exe powershell.exe PID 1744 wrote to memory of 2836 1744 payment status.pdf.exe powershell.exe PID 1744 wrote to memory of 2836 1744 payment status.pdf.exe powershell.exe PID 1744 wrote to memory of 2688 1744 payment status.pdf.exe powershell.exe PID 1744 wrote to memory of 2688 1744 payment status.pdf.exe powershell.exe PID 1744 wrote to memory of 2688 1744 payment status.pdf.exe powershell.exe PID 1744 wrote to memory of 2688 1744 payment status.pdf.exe powershell.exe PID 1744 wrote to memory of 2844 1744 payment status.pdf.exe schtasks.exe PID 1744 wrote to memory of 2844 1744 payment status.pdf.exe schtasks.exe PID 1744 wrote to memory of 2844 1744 payment status.pdf.exe schtasks.exe PID 1744 wrote to memory of 2844 1744 payment status.pdf.exe schtasks.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe PID 1744 wrote to memory of 2620 1744 payment status.pdf.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment status.pdf.exe"C:\Users\Admin\AppData\Local\Temp\payment status.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment status.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zcEARB.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zcEARB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp"2⤵
- Creates scheduled task(s)
PID:2844 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5991b27cad0ba452414bd412bde5a265c
SHA17e638635a2ebdb3586de9c0f6dda5212c84b1a6f
SHA25668f7bd7cf8437ebb172efae331003c2f8d5b3399250a8e29baf6f0faa5d0712e
SHA512d2944be0a4dbf3951a0e82524875a24795561e6627bc6e3a0ee891dfa21179139f1e3a46c2828927c4ada8f797b116a1502a0af70b5ea2f8cbf1c8d12a1bc55e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N9LGTVMM6QFIIYOI2KPF.temp
Filesize7KB
MD5f0785a88b93eb18cc77587b7d9a67ecb
SHA12b65697b81acd9166b762cae9a60eef31937c4b6
SHA256a518e293ea20cb0227e7363778685d76fea811e3a3c7375868da5730bd7fc437
SHA512f442e0a9364802f123522478ac7eec086d531149fc6d3f9916705c6a05c7c790209fecb3440395decd5ebb2f9b5763e3c60c7cea7c1b0333403c18cf3ae4e08c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f0785a88b93eb18cc77587b7d9a67ecb
SHA12b65697b81acd9166b762cae9a60eef31937c4b6
SHA256a518e293ea20cb0227e7363778685d76fea811e3a3c7375868da5730bd7fc437
SHA512f442e0a9364802f123522478ac7eec086d531149fc6d3f9916705c6a05c7c790209fecb3440395decd5ebb2f9b5763e3c60c7cea7c1b0333403c18cf3ae4e08c