Overview

overview

10

Static

static

3

payment st...df.exe

windows7-x64

10

payment st...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231201-en
  • resource tags

    arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2023 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment status.pdf.exe

  • Size

    1020KB

  • MD5

    95db39b63d249c820c8f4049e0f6cb47

  • SHA1

    c7aea8439dc96bdbedb2f6c132ec3507818b66c4

  • SHA256

    411b46ed90780c211a99c7b85b753aade4eb1d5e63f3172f0a8149edf109237a

  • SHA512

    1bfe8a034f2411498768819e2c4511f657512cf8fe51c7f868557e7a1e507ca08f514a01433261b5116232886546732151c1b1f17f7af742761f2ff3afbeab06

  • SSDEEP

    24576:HR34/up+pJCy9lInPiYgpcU7GPm8UXYz1q:x38PJCQ3IPqXV

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payment status.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\payment status.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment status.pdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zcEARB.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zcEARB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2844
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp
    Filesize

    1KB

    MD5

    991b27cad0ba452414bd412bde5a265c

    SHA1

    7e638635a2ebdb3586de9c0f6dda5212c84b1a6f

    SHA256

    68f7bd7cf8437ebb172efae331003c2f8d5b3399250a8e29baf6f0faa5d0712e

    SHA512

    d2944be0a4dbf3951a0e82524875a24795561e6627bc6e3a0ee891dfa21179139f1e3a46c2828927c4ada8f797b116a1502a0af70b5ea2f8cbf1c8d12a1bc55e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N9LGTVMM6QFIIYOI2KPF.temp
    Filesize

    7KB

    MD5

    f0785a88b93eb18cc77587b7d9a67ecb

    SHA1

    2b65697b81acd9166b762cae9a60eef31937c4b6

    SHA256

    a518e293ea20cb0227e7363778685d76fea811e3a3c7375868da5730bd7fc437

    SHA512

    f442e0a9364802f123522478ac7eec086d531149fc6d3f9916705c6a05c7c790209fecb3440395decd5ebb2f9b5763e3c60c7cea7c1b0333403c18cf3ae4e08c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    f0785a88b93eb18cc77587b7d9a67ecb

    SHA1

    2b65697b81acd9166b762cae9a60eef31937c4b6

    SHA256

    a518e293ea20cb0227e7363778685d76fea811e3a3c7375868da5730bd7fc437

    SHA512

    f442e0a9364802f123522478ac7eec086d531149fc6d3f9916705c6a05c7c790209fecb3440395decd5ebb2f9b5763e3c60c7cea7c1b0333403c18cf3ae4e08c

    Download Submit

  • memory/1744-19-0x0000000074380000-0x0000000074A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1744-1-0x0000000074380000-0x0000000074A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1744-2-0x0000000004DD0000-0x0000000004E10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1744-3-0x0000000000500000-0x0000000000518000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1744-4-0x0000000000560000-0x0000000000568000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1744-5-0x0000000000570000-0x000000000057A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1744-6-0x0000000005350000-0x00000000053CA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1744-28-0x0000000074380000-0x0000000074A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1744-0-0x0000000000120000-0x0000000000224000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2620-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2620-42-0x0000000073080000-0x000000007376E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2620-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2620-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2620-20-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2620-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2620-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2620-31-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2620-46-0x0000000073080000-0x000000007376E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2620-43-0x00000000048D0000-0x0000000004910000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2620-22-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2688-34-0x0000000002960000-0x00000000029A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2688-36-0x000000006F200000-0x000000006F7AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2688-33-0x000000006F200000-0x000000006F7AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2688-40-0x0000000002960000-0x00000000029A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2688-41-0x0000000002960000-0x00000000029A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2688-45-0x000000006F200000-0x000000006F7AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2836-35-0x0000000002920000-0x0000000002960000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2836-37-0x000000006F200000-0x000000006F7AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2836-38-0x0000000002920000-0x0000000002960000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2836-44-0x000000006F200000-0x000000006F7AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2836-39-0x0000000002920000-0x0000000002960000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2836-32-0x000000006F200000-0x000000006F7AB000-memory.dmp

    Filesize

    5.7MB

    Download