Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 02:30
Static task
static1
Behavioral task
behavioral1
Sample
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe
Resource
win10v2004-20231130-en
General
-
Target
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe
-
Size
485KB
-
MD5
6ccbacbec6b83823e89343cc5ae9681a
-
SHA1
29f2e915e040956f9540abdaf0b8e4df917623b4
-
SHA256
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73
-
SHA512
9ca4bdc4d54edd0bdb3e4951ecd978e77690ec57877d694538dbd9bf38a053d487355ec7aa8c34e5bfc593689ead0d40a4549a11ac1d4af44c0fb5b56480a66c
-
SSDEEP
12288:WckpUOtJHdogrQCUcMNtYfLvAFiwCHoEbjr:W7asodCUcMkYF6t
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6760916656:AAFTROumNysgqsjoqAvyBqjbR9y3VV4we2Y/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "C:\\Users\\Admin\\AppData\\Roaming\\adobe\\adobe.exe" 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 51 api.ipify.org 52 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exedescription pid process target process PID 3260 set thread context of 4332 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2628 ipconfig.exe 4912 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exepid process 4332 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe 4332 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exedescription pid process Token: SeDebugPrivilege 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe Token: SeDebugPrivilege 4332 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exepid process 4332 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.execmd.execmd.exedescription pid process target process PID 3260 wrote to memory of 2300 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe cmd.exe PID 3260 wrote to memory of 2300 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe cmd.exe PID 3260 wrote to memory of 2300 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe cmd.exe PID 2300 wrote to memory of 2628 2300 cmd.exe ipconfig.exe PID 2300 wrote to memory of 2628 2300 cmd.exe ipconfig.exe PID 2300 wrote to memory of 2628 2300 cmd.exe ipconfig.exe PID 3260 wrote to memory of 512 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe cmd.exe PID 3260 wrote to memory of 512 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe cmd.exe PID 3260 wrote to memory of 512 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe cmd.exe PID 512 wrote to memory of 4912 512 cmd.exe ipconfig.exe PID 512 wrote to memory of 4912 512 cmd.exe ipconfig.exe PID 512 wrote to memory of 4912 512 cmd.exe ipconfig.exe PID 3260 wrote to memory of 4332 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe PID 3260 wrote to memory of 4332 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe PID 3260 wrote to memory of 4332 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe PID 3260 wrote to memory of 4332 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe PID 3260 wrote to memory of 4332 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe PID 3260 wrote to memory of 4332 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe PID 3260 wrote to memory of 4332 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe PID 3260 wrote to memory of 4332 3260 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe 92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe"C:\Users\Admin\AppData\Local\Temp\92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:2628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exeC:\Users\Admin\AppData\Local\Temp\92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\92b5688c048ffe742eb8ba8b880cd60477db568a57e60dc1ce7a2dc65b4d9d73.exe.log
Filesize1KB
MD58c2da65103d6b46d8cf610b118210cf0
SHA19db4638340bb74f2af3161cc2c9c0b8b32e6ab65
SHA2560e48e2efd419951e0eb9a8d942493cfdf5540d1d19ff9dae6f145fb3ebcbeeac
SHA5123cf5a125276e264cd8478f2b92d3848fb68b96d46eb4a39e650d09df02068c274881a1c314cdfbfdcb452672fb70dd8becf3ffe9562d39919d9c4d6b07fbb614