Analysis
-
max time kernel
130s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2023 16:21
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.29741.10451.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.29741.10451.exe
Resource
win10v2004-20231130-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.29741.10451.exe
-
Size
704KB
-
MD5
a576153b3c74a904b1f8f45092615859
-
SHA1
7f6b01f1271c4138a4f8bf38e9543afc0cfca582
-
SHA256
e8434c616498087ebeaa23ca1b164dc1c4ba49579d759035b3e46c0c17bd3c75
-
SHA512
5502f1718cdacb8d21588c974955967fa56bdb1ed12e4618f3b159c1a3a514cc507a325bb67776b323c3e43c740c945111584fb9c1ada3a9a6ff39f2dffe8d69
-
SSDEEP
12288:WEjuxvGmhyeQsIVTTcagHHG5N4MAHKGiOgHos2VAiOji8wuQ5nH:dmQeQ1VTTh6MAZ4oscghwT5n
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.amtechcards.com - Port:
587 - Username:
[email protected] - Password:
]i[a(tUWlmp% - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oIjuwq = "C:\\Users\\Admin\\AppData\\Roaming\\oIjuwq\\oIjuwq.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5092 set thread context of 2856 5092 WerFault.exe 109 -
Program crash 1 IoCs
pid pid_target Process procid_target 3748 2856 WerFault.exe 109 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5064 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 5092 SecuriteInfo.com.Win32.PWSX-gen.29741.10451.exe 5092 SecuriteInfo.com.Win32.PWSX-gen.29741.10451.exe 5092 WerFault.exe 2388 powershell.exe 2388 powershell.exe 2856 RegSvcs.exe 2856 RegSvcs.exe 2856 RegSvcs.exe 2388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5092 SecuriteInfo.com.Win32.PWSX-gen.29741.10451.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2856 RegSvcs.exe Token: SeManageVolumePrivilege 3432 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 5092 wrote to memory of 2388 5092 WerFault.exe 108 PID 5092 wrote to memory of 2388 5092 WerFault.exe 108 PID 5092 wrote to memory of 2388 5092 WerFault.exe 108 PID 5092 wrote to memory of 5064 5092 WerFault.exe 105 PID 5092 wrote to memory of 5064 5092 WerFault.exe 105 PID 5092 wrote to memory of 5064 5092 WerFault.exe 105 PID 5092 wrote to memory of 2856 5092 WerFault.exe 109 PID 5092 wrote to memory of 2856 5092 WerFault.exe 109 PID 5092 wrote to memory of 2856 5092 WerFault.exe 109 PID 5092 wrote to memory of 2856 5092 WerFault.exe 109 PID 5092 wrote to memory of 2856 5092 WerFault.exe 109 PID 5092 wrote to memory of 2856 5092 WerFault.exe 109 PID 5092 wrote to memory of 2856 5092 WerFault.exe 109 PID 5092 wrote to memory of 2856 5092 WerFault.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.29741.10451.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.29741.10451.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hUHGAJnhSxVB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B4A.tmp"2⤵
- Creates scheduled task(s)
PID:5064
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hUHGAJnhSxVB.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 18603⤵
- Program crash
PID:3748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2856 -ip 28561⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5092
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5a53c19a1af99e8ce31b3443f401ce9c8
SHA1f01130ba6fc08db9492b704ffb97fe993e3ca6c7
SHA2568d6a03f0a4833cad47f25230855c61285a7b8fa21c1848f51dae16e4852da144
SHA51220a4ce1c708bdf5a4872adec1d41b5f3621fcf81106a1383f94e170da2a9f3e2659fbf8a1bfabb0c769a3beac2a1ebf5b03b91a378f549e92e78430a613ad55e