Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
13-12-2023 01:19
Static task
static1
Behavioral task
behavioral1
Sample
1349f4cdeeff77f8e18cddb241f3e425.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
1349f4cdeeff77f8e18cddb241f3e425.exe
Resource
win10v2004-20231127-en
General
-
Target
1349f4cdeeff77f8e18cddb241f3e425.exe
-
Size
878KB
-
MD5
1349f4cdeeff77f8e18cddb241f3e425
-
SHA1
f631ca6cb8897a6d052f09df9c278f16088aa25e
-
SHA256
410ef6d906ba484fc887ccde242ff8f0057fe55c338a7e4dc9d7be4ed94c7f9a
-
SHA512
3ed9368e40be9803b0f9590d1f67e4dddad886a3551e52915a042a36fa7813d5556e78034d9a6297c9aefef3da5203bc9fb1bb013dd57e09a121f66dc77b82cd
-
SSDEEP
24576:P7EcmNaAnMM0Xc4H0KZCbhDjoJfMpxXM+u7vR/k4k:wRBfAdZCbtjogxFgRE
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6225333215:AAFu6RyUqp4Klj6s7zuEWrA78AFP6bYaof8/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
1349f4cdeeff77f8e18cddb241f3e425.exepid process 2868 1349f4cdeeff77f8e18cddb241f3e425.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msbuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\TulzXve = "C:\\Users\\Admin\\AppData\\Roaming\\TulzXve\\TulzXve.exe" msbuild.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org 9 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
1349f4cdeeff77f8e18cddb241f3e425.exedescription ioc process File opened for modification C:\Windows\SysWOW64\octocoralline\udflet.kly 1349f4cdeeff77f8e18cddb241f3e425.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msbuild.exepid process 568 msbuild.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
1349f4cdeeff77f8e18cddb241f3e425.exemsbuild.exepid process 2868 1349f4cdeeff77f8e18cddb241f3e425.exe 568 msbuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1349f4cdeeff77f8e18cddb241f3e425.exedescription pid process target process PID 2868 set thread context of 568 2868 1349f4cdeeff77f8e18cddb241f3e425.exe msbuild.exe -
Drops file in Program Files directory 1 IoCs
Processes:
1349f4cdeeff77f8e18cddb241f3e425.exedescription ioc process File created C:\Program Files (x86)\Alkoholpaavirkede.lnk 1349f4cdeeff77f8e18cddb241f3e425.exe -
Drops file in Windows directory 2 IoCs
Processes:
1349f4cdeeff77f8e18cddb241f3e425.exedescription ioc process File opened for modification C:\Windows\Fonts\sttemaskinerne.aft 1349f4cdeeff77f8e18cddb241f3e425.exe File opened for modification C:\Windows\pau.anl 1349f4cdeeff77f8e18cddb241f3e425.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msbuild.exepid process 568 msbuild.exe 568 msbuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1349f4cdeeff77f8e18cddb241f3e425.exepid process 2868 1349f4cdeeff77f8e18cddb241f3e425.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
msbuild.exedescription pid process Token: SeDebugPrivilege 568 msbuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msbuild.exepid process 568 msbuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1349f4cdeeff77f8e18cddb241f3e425.exedescription pid process target process PID 2868 wrote to memory of 568 2868 1349f4cdeeff77f8e18cddb241f3e425.exe msbuild.exe PID 2868 wrote to memory of 568 2868 1349f4cdeeff77f8e18cddb241f3e425.exe msbuild.exe PID 2868 wrote to memory of 568 2868 1349f4cdeeff77f8e18cddb241f3e425.exe msbuild.exe PID 2868 wrote to memory of 568 2868 1349f4cdeeff77f8e18cddb241f3e425.exe msbuild.exe PID 2868 wrote to memory of 568 2868 1349f4cdeeff77f8e18cddb241f3e425.exe msbuild.exe PID 2868 wrote to memory of 568 2868 1349f4cdeeff77f8e18cddb241f3e425.exe msbuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1349f4cdeeff77f8e18cddb241f3e425.exe"C:\Users\Admin\AppData\Local\Temp\1349f4cdeeff77f8e18cddb241f3e425.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Users\Admin\AppData\Local\Temp\1349f4cdeeff77f8e18cddb241f3e425.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23B
MD5c92bd40da0253a8950d8212a10a45b7a
SHA151b8c9ec204739dc6533aedb479e2246dc6c814e
SHA25666254a3eeb63222b02602732fac5e85f080d77c5e257e138864931763fb955fb
SHA51226cc58e0e7aceea7e1f3083fa8ca7e231ca71616006d34a5b73de93f1edbcb2904ab246f0ae241f2fcd51c93f467757081c381c57e1de8c77a2a8695ec4ac4e1
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9