Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 15:00
Static task
static1
Behavioral task
behavioral1
Sample
JUSTIF.TRANSF..exe
Resource
win7-20240221-en
General
-
Target
JUSTIF.TRANSF..exe
-
Size
798KB
-
MD5
fb029eca94061f0186fc8701bdc85c77
-
SHA1
08231601ad4894e80dc1bd323456ed5e4cacb13c
-
SHA256
d2a44cec8dbbd996cc4b5780f907f33fd4040c44519653503f4b17f3288149a6
-
SHA512
f46da4da503d580eb9fb9648141375f1a5c244d6832a7c426d65337d0e7cec6f515ae1ee9a0921002c4d04b99b01b09775ffe8823e9a557f0ff78aee57cf07d4
-
SSDEEP
12288:R6dum27u49Zr7EwcCiCXZHvyK7m2GtW8rTRpJ9ShOWQ7G/GFH9eo:R6dufltdcCpPyPW8rTRp6I8+deo
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7189076260:AAHEL9QuHqQcKXN8kPXNO5BpYSd3XtQOqFg/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
JUSTIF.TRANSF..exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JUSTIF.TRANSF..exe -
Processes:
JUSTIF.TRANSF..exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JUSTIF.TRANSF..exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JUSTIF.TRANSF..exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
JUSTIF.TRANSF..exedescription pid process target process PID 2332 set thread context of 2852 2332 JUSTIF.TRANSF..exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
JUSTIF.TRANSF..exepowershell.exejsc.exepid process 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2332 JUSTIF.TRANSF..exe 2372 powershell.exe 2852 jsc.exe 2852 jsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
JUSTIF.TRANSF..exepowershell.exejsc.exedescription pid process Token: SeDebugPrivilege 2332 JUSTIF.TRANSF..exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 2852 jsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jsc.exepid process 2852 jsc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
JUSTIF.TRANSF..exedescription pid process target process PID 2332 wrote to memory of 2372 2332 JUSTIF.TRANSF..exe powershell.exe PID 2332 wrote to memory of 2372 2332 JUSTIF.TRANSF..exe powershell.exe PID 2332 wrote to memory of 2372 2332 JUSTIF.TRANSF..exe powershell.exe PID 2332 wrote to memory of 3060 2332 JUSTIF.TRANSF..exe installutil.exe PID 2332 wrote to memory of 3060 2332 JUSTIF.TRANSF..exe installutil.exe PID 2332 wrote to memory of 3060 2332 JUSTIF.TRANSF..exe installutil.exe PID 2332 wrote to memory of 3060 2332 JUSTIF.TRANSF..exe installutil.exe PID 2332 wrote to memory of 3060 2332 JUSTIF.TRANSF..exe installutil.exe PID 2332 wrote to memory of 3060 2332 JUSTIF.TRANSF..exe installutil.exe PID 2332 wrote to memory of 3060 2332 JUSTIF.TRANSF..exe installutil.exe PID 2332 wrote to memory of 2852 2332 JUSTIF.TRANSF..exe jsc.exe PID 2332 wrote to memory of 2852 2332 JUSTIF.TRANSF..exe jsc.exe PID 2332 wrote to memory of 2852 2332 JUSTIF.TRANSF..exe jsc.exe PID 2332 wrote to memory of 2852 2332 JUSTIF.TRANSF..exe jsc.exe PID 2332 wrote to memory of 2852 2332 JUSTIF.TRANSF..exe jsc.exe PID 2332 wrote to memory of 2852 2332 JUSTIF.TRANSF..exe jsc.exe PID 2332 wrote to memory of 2852 2332 JUSTIF.TRANSF..exe jsc.exe PID 2332 wrote to memory of 2852 2332 JUSTIF.TRANSF..exe jsc.exe PID 2332 wrote to memory of 2852 2332 JUSTIF.TRANSF..exe jsc.exe PID 2332 wrote to memory of 2680 2332 JUSTIF.TRANSF..exe WerFault.exe PID 2332 wrote to memory of 2680 2332 JUSTIF.TRANSF..exe WerFault.exe PID 2332 wrote to memory of 2680 2332 JUSTIF.TRANSF..exe WerFault.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
JUSTIF.TRANSF..exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JUSTIF.TRANSF..exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JUSTIF.TRANSF..exe"C:\Users\Admin\AppData\Local\Temp\JUSTIF.TRANSF..exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\JUSTIF.TRANSF..exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2332 -s 8842⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2332-30-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmpFilesize
9.9MB
-
memory/2332-1-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmpFilesize
9.9MB
-
memory/2332-2-0x000000001B1A0000-0x000000001B220000-memory.dmpFilesize
512KB
-
memory/2332-3-0x000000001A7A0000-0x000000001A834000-memory.dmpFilesize
592KB
-
memory/2332-0-0x0000000000DB0000-0x0000000000DEA000-memory.dmpFilesize
232KB
-
memory/2372-10-0x000007FEED4E0000-0x000007FEEDE7D000-memory.dmpFilesize
9.6MB
-
memory/2372-27-0x000007FEED4E0000-0x000007FEEDE7D000-memory.dmpFilesize
9.6MB
-
memory/2372-11-0x00000000024A0000-0x0000000002520000-memory.dmpFilesize
512KB
-
memory/2372-12-0x000007FEED4E0000-0x000007FEEDE7D000-memory.dmpFilesize
9.6MB
-
memory/2372-13-0x00000000024A0000-0x0000000002520000-memory.dmpFilesize
512KB
-
memory/2372-14-0x00000000024A0000-0x0000000002520000-memory.dmpFilesize
512KB
-
memory/2372-9-0x0000000002670000-0x0000000002678000-memory.dmpFilesize
32KB
-
memory/2372-8-0x000000001B330000-0x000000001B612000-memory.dmpFilesize
2.9MB
-
memory/2852-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2852-20-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2852-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2852-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2852-24-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2852-26-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2852-15-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2852-28-0x0000000073CE0000-0x00000000743CE000-memory.dmpFilesize
6.9MB
-
memory/2852-29-0x0000000004930000-0x0000000004970000-memory.dmpFilesize
256KB
-
memory/2852-17-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2852-31-0x0000000073CE0000-0x00000000743CE000-memory.dmpFilesize
6.9MB