Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 06:13
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.29615.exe
Resource
win7-20231023-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.29615.exe
-
Size
646KB
-
MD5
8b2c546750137d4cbce416cd031e7c88
-
SHA1
7775afe55e151330c6ba7f34808de5e13b9d990d
-
SHA256
9c0346e08a28cec8ab5be231e650450bbf64ebc42a14169e755ed9badef3b630
-
SHA512
77a3057ed7d517704126b9662d9d0b8e2400e70276e14244d6f60efccd0a8b1681aae2edc71becea3e591ed9b8586efcaa3b17a92920b2ba35e7ef4a7c602abb
-
SSDEEP
12288:3m3IU8S6eUdgOcP3bHoRrU++6aZ9mQafptczaJrlPrs4f:3cItSAdgOiToRrUR62pKeglPg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.2sautomobile.com - Port:
587 - Username:
[email protected] - Password:
Kenzi051008 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2108-3-0x0000000000690000-0x00000000006A8000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.29615.exedescription pid process target process PID 2108 set thread context of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.29615.exepowershell.exepowershell.exeRegSvcs.exepid process 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe 2436 powershell.exe 2660 powershell.exe 2084 RegSvcs.exe 2084 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.29615.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 2084 RegSvcs.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.29615.exedescription pid process target process PID 2108 wrote to memory of 2660 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe powershell.exe PID 2108 wrote to memory of 2660 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe powershell.exe PID 2108 wrote to memory of 2660 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe powershell.exe PID 2108 wrote to memory of 2660 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe powershell.exe PID 2108 wrote to memory of 2436 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe powershell.exe PID 2108 wrote to memory of 2436 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe powershell.exe PID 2108 wrote to memory of 2436 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe powershell.exe PID 2108 wrote to memory of 2436 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe powershell.exe PID 2108 wrote to memory of 2616 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe schtasks.exe PID 2108 wrote to memory of 2616 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe schtasks.exe PID 2108 wrote to memory of 2616 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe schtasks.exe PID 2108 wrote to memory of 2616 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe schtasks.exe PID 2108 wrote to memory of 2496 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2496 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2496 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2496 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2496 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2496 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2496 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe PID 2108 wrote to memory of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.29615.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.29615.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.29615.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YyuYEkUmnRX.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YyuYEkUmnRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5C1.tmp"2⤵
- Creates scheduled task(s)
PID:2616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2496
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD527a1be849360a98e91086699f262dcab
SHA1b14f39c777ee2b32b305cafc34e278c861ba077f
SHA256f51fa0d9dbebbd0e94af9ab78e1caefcc3d68ea1f88769bd5350da8148741941
SHA512d38c5f17a60bf742752888f5772e0a5fc2c8858309af2993fd0f3495620a2359dc36b70e85b617f1980154a54ef3fdb81d861417d208e54042bd92266a24103c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VX33KVGW2Z8XTUGFVTUW.temp
Filesize7KB
MD5f23843c4b1a4b2b1b2a5641b3f748b7f
SHA1a45e6bfb26d08af37bc95bddaf5abf9e0c16f718
SHA256c201ee605d0be4811f59d68ac2331cef7eaf177e445b99f5b0b89cfdf14cc994
SHA512ef02914542f7a8794e6b58f5609bc8b7fe38325424fbd74c6c54d246b02d5b160950e791aadcef7fab199f3890c871346ff2bf9bdb7e960cbff2a8bbde6b3a0c