Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
29-01-2024 16:26
General
-
Target
804e6c9e35ced60e4f63166b0b1e6431.exe
-
Size
404KB
-
MD5
804e6c9e35ced60e4f63166b0b1e6431
-
SHA1
0617a7247a93933fa72cc17a369467a393847734
-
SHA256
696f8a6a73cfa9a84daf49781b0bd93e3a6ce36cda1330450b511706983dccb4
-
SHA512
0db3813f8fc5df8ed83a93ba44927e7e8134b5c30a45bcb0f3d003f92a04ebbfb81310fa79481c583a05638ce5b0ed0dead9ec9c07d71cb0ed2a4a424e26c184
-
SSDEEP
12288:6aOR+AzP3tHBHxFnT+VQaL95JcrzQURul5lAbUJ8EVPG:6T8ATlBRkVz9IzjR6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mediszintech.com - Port:
587 - Username:
[email protected] - Password:
TC!%EOL8
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\804e6c9e35ced60e4f63166b0b1e6431.exe"C:\Users\Admin\AppData\Local\Temp\804e6c9e35ced60e4f63166b0b1e6431.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\weHtmYs.ps1"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\804e6c9e35ced60e4f63166b0b1e6431.exe"{path}"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RULdIrTA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7956.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\804e6c9e35ced60e4f63166b0b1e6431.exe"{path}"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\804e6c9e35ced60e4f63166b0b1e6431.exe.logFilesize
139B
MD5b226ddb0f6213e848e868253270d2ee4
SHA19d9b43c46b5a5573cd4e521293413ad9c55ef5b9
SHA2569fcd51e732baf44df777525aca99cd16a693190659f9cab66263fd2393fb87f1
SHA512b4f46b90bb116fffd16924b1911ab9b280c74977344788bad0db8b60818f8126efa830d282df4a97aa542d1c9ea48e445d7dd77ac33c3fda5e745787fcd74e8c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2pmyrvc.e0g.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp7956.tmpFilesize
1KB
MD568ac75048456c366e59cc0acdbf3fe7b
SHA136ecbba6fa75166e8971e26e497c742aae683ba6
SHA256a133c6fc3666bb1701c5d57f1a21523a25544c9028d41f5d08cf7dfabaabd25e
SHA512d483cb22fc2a07d86790f162d2c277ef9c3a5fbea659d43678dd2899a65e4eaa817d0bc2fc538f339018b9eafec19edf59e365768467d4eedf72123945387369
-
C:\Users\Public\weHtmYs.ps1Filesize
24KB
MD554c60141db7cc6351f76dd7fed19a575
SHA15336083aee420b40d3ebb3eab56a4afd7d0fc9bc
SHA256869f514fecc74a2444b49990f0a975c681af67b946a66c13af77d8bc14e45a11
SHA512a34157249f6b6f462c98cd587abdb9914e50515de5953197ee15fb81bd7b57ef48aff470fee806f258f34b1e29b56f521ac3eb092d678348bcc27f3de60e0f96
-
memory/3184-34-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/3184-36-0x0000000074260000-0x0000000074A10000-memory.dmpFilesize
7.7MB
-
memory/3184-37-0x0000000005C20000-0x00000000061C4000-memory.dmpFilesize
5.6MB
-
memory/3184-45-0x0000000074260000-0x0000000074A10000-memory.dmpFilesize
7.7MB
-
memory/3916-46-0x0000000074260000-0x0000000074A10000-memory.dmpFilesize
7.7MB
-
memory/3916-47-0x0000000004EA0000-0x0000000004EB0000-memory.dmpFilesize
64KB
-
memory/3916-50-0x0000000005000000-0x0000000005018000-memory.dmpFilesize
96KB
-
memory/3916-55-0x0000000074260000-0x0000000074A10000-memory.dmpFilesize
7.7MB
-
memory/3916-44-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3916-56-0x0000000004EA0000-0x0000000004EB0000-memory.dmpFilesize
64KB
-
memory/3916-57-0x0000000004EA0000-0x0000000004EB0000-memory.dmpFilesize
64KB
-
memory/3916-58-0x00000000062A0000-0x00000000062AA000-memory.dmpFilesize
40KB
-
memory/3916-60-0x0000000004EA0000-0x0000000004EB0000-memory.dmpFilesize
64KB
-
memory/3928-20-0x00000000052B0000-0x0000000005316000-memory.dmpFilesize
408KB
-
memory/3928-12-0x0000000005370000-0x0000000005998000-memory.dmpFilesize
6.2MB
-
memory/3928-32-0x00000000071F0000-0x000000000725C000-memory.dmpFilesize
432KB
-
memory/3928-30-0x00000000071A0000-0x00000000071A8000-memory.dmpFilesize
32KB
-
memory/3928-33-0x0000000004D30000-0x0000000004D40000-memory.dmpFilesize
64KB
-
memory/3928-28-0x00000000070E0000-0x0000000007124000-memory.dmpFilesize
272KB
-
memory/3928-27-0x0000000006010000-0x000000000605C000-memory.dmpFilesize
304KB
-
memory/3928-26-0x0000000005F60000-0x0000000005F7E000-memory.dmpFilesize
120KB
-
memory/3928-25-0x0000000005AA0000-0x0000000005DF4000-memory.dmpFilesize
3.3MB
-
memory/3928-42-0x00000000076A0000-0x0000000007716000-memory.dmpFilesize
472KB
-
memory/3928-14-0x0000000005240000-0x00000000052A6000-memory.dmpFilesize
408KB
-
memory/3928-9-0x0000000074260000-0x0000000074A10000-memory.dmpFilesize
7.7MB
-
memory/3928-13-0x00000000050A0000-0x00000000050C2000-memory.dmpFilesize
136KB
-
memory/3928-31-0x0000000007290000-0x0000000007322000-memory.dmpFilesize
584KB
-
memory/3928-11-0x0000000004D30000-0x0000000004D40000-memory.dmpFilesize
64KB
-
memory/3928-48-0x0000000007DA0000-0x000000000841A000-memory.dmpFilesize
6.5MB
-
memory/3928-49-0x0000000007520000-0x000000000753A000-memory.dmpFilesize
104KB
-
memory/3928-8-0x0000000004BB0000-0x0000000004BE6000-memory.dmpFilesize
216KB
-
memory/3928-51-0x0000000074260000-0x0000000074A10000-memory.dmpFilesize
7.7MB
-
memory/3928-52-0x0000000004D30000-0x0000000004D40000-memory.dmpFilesize
64KB
-
memory/3928-54-0x0000000004D30000-0x0000000004D40000-memory.dmpFilesize
64KB
-
memory/3928-10-0x0000000004D30000-0x0000000004D40000-memory.dmpFilesize
64KB
-
memory/4080-0-0x0000000074550000-0x0000000074D00000-memory.dmpFilesize
7.7MB
-
memory/4080-5-0x0000000074550000-0x0000000074D00000-memory.dmpFilesize
7.7MB
-
memory/4080-2-0x0000000005820000-0x00000000058BC000-memory.dmpFilesize
624KB
-
memory/4080-1-0x0000000000D90000-0x0000000000DFC000-memory.dmpFilesize
432KB