Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
11-12-2023 11:17
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.32352.exe
Resource
win7-20231023-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.32352.exe
-
Size
621KB
-
MD5
12528895f0306755c4fdee8ba97d89d1
-
SHA1
408636fe1438ba5f210705057beaf9a746ea83f6
-
SHA256
4dd2869a36c4b826221c8b8131503fd48d3e8871af1ba2405823947c9915de74
-
SHA512
b139b1a7d08833490e4fa3872391a4b953e0fd97700e46315d86ac41243368b02c3de1d36621e1b9e430018867a9b0211fc48a7c9d1a68cc17af685ce18cb0c7
-
SSDEEP
12288:L3IU8S6eUdsQKwNsP4xcI1MJwNfA/R4lPd5V18EENHSkkEDWYAj:7ItSAdsQK3I1RNfA/RwP1hENHSkkEKD
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.precise.co.in - Port:
587 - Username:
[email protected] - Password:
Singh@2022$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-3-0x0000000000980000-0x0000000000998000-memory.dmp family_zgrat_v1 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.32352.exedescription pid process target process PID 1932 set thread context of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.32352.exeRegSvcs.exepowershell.exepowershell.exepid process 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe 3004 RegSvcs.exe 3004 RegSvcs.exe 2768 powershell.exe 2864 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.32352.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe Token: SeDebugPrivilege 3004 RegSvcs.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.32352.exedescription pid process target process PID 1932 wrote to memory of 2768 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe powershell.exe PID 1932 wrote to memory of 2768 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe powershell.exe PID 1932 wrote to memory of 2768 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe powershell.exe PID 1932 wrote to memory of 2768 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe powershell.exe PID 1932 wrote to memory of 2864 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe powershell.exe PID 1932 wrote to memory of 2864 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe powershell.exe PID 1932 wrote to memory of 2864 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe powershell.exe PID 1932 wrote to memory of 2864 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe powershell.exe PID 1932 wrote to memory of 2728 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe schtasks.exe PID 1932 wrote to memory of 2728 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe schtasks.exe PID 1932 wrote to memory of 2728 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe schtasks.exe PID 1932 wrote to memory of 2728 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe schtasks.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe PID 1932 wrote to memory of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.32352.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.32352.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.32352.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ulsrayNTRmtgvg.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ulsrayNTRmtgvg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD52A.tmp"2⤵
- Creates scheduled task(s)
PID:2728 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ba762edcf7e8bb07cf184345340ee6a3
SHA113fdba97ff72a20c6aa2004e9dff3f64e8899b11
SHA25640ffd659252a659b1fc365b5a902c2097a49ac67dfced8a032e62c22115662ed
SHA5126f884f1ab7ca28b3598adc71cf9d6440c6687856e2acbea2a1a3d58443076cd16df53e2b9137dd36e797ce60447413fab66d6f805216f6bb90cc457d8b0eea34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZYPT24NB0PVDZ7HEN06L.temp
Filesize7KB
MD55e7606814756e569d0c41798f4fe074c
SHA1243bcd6f687e8afeaf60df9969788ed4a50e4ae0
SHA256d36739591ff4d2bec75b74d78f70926715d6c9d7a423ac91de2ff5a4e7a8db73
SHA512223a74ef4ad2ab747cf329e94e1d9457de324c319473bccac0e3a1f1398321ee6a3483812ad7b1d31c89e67c2872ee9edf15135491a8949a819a04ceabb7d54b