Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 02:42
Static task
static1
Behavioral task
behavioral1
Sample
INV.3175001503.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
INV.3175001503.exe
Resource
win10v2004-20240226-en
General
-
Target
INV.3175001503.exe
-
Size
708KB
-
MD5
cc3d25e47bf31f862ecf842f2f174951
-
SHA1
91904f35dbe6a77a50766fef0d769674d96bd720
-
SHA256
f5e5065093aba6e737332f46cfd1b0672dd9c7025e599d9832f8b25b65033c94
-
SHA512
81e3b6e106491777e31558eee7afca3324bde7df45beb3dd93fc9d040b5b5b32b694ad07197a8842636cf19ba50080ff28e8d437e1d4592f496047ddfc276f29
-
SSDEEP
12288:lCz/Ba5W2Meyb2GHVCAPwepEHIcQgS7bFnTMjt5a6hd1SeralhD:MrzlRZI6wOEocQgSXFTMZptrghD
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.aficofilters.com.eg - Port:
587 - Username:
[email protected] - Password:
mhds@852 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2508-32-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2508-35-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2508-25-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2508-23-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2508-37-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2508-32-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2508-35-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2508-25-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2508-23-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2508-37-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables packed with SmartAssembly 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-4-0x0000000001EA0000-0x0000000001EAC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2508-32-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2508-35-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2508-25-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2508-23-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2508-37-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2508-32-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2508-35-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2508-25-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2508-23-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2508-37-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2508-32-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2508-35-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2508-25-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2508-23-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2508-37-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2508-32-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2508-35-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2508-25-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2508-23-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2508-37-0x0000000000400000-0x0000000000440000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV.3175001503.exedescription pid process target process PID 1728 set thread context of 2508 1728 INV.3175001503.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
INV.3175001503.exepowershell.exepowershell.exeRegSvcs.exepid process 1728 INV.3175001503.exe 2516 powershell.exe 2608 powershell.exe 1728 INV.3175001503.exe 2508 RegSvcs.exe 2508 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
INV.3175001503.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1728 INV.3175001503.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2508 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
INV.3175001503.exedescription pid process target process PID 1728 wrote to memory of 2516 1728 INV.3175001503.exe powershell.exe PID 1728 wrote to memory of 2516 1728 INV.3175001503.exe powershell.exe PID 1728 wrote to memory of 2516 1728 INV.3175001503.exe powershell.exe PID 1728 wrote to memory of 2516 1728 INV.3175001503.exe powershell.exe PID 1728 wrote to memory of 2608 1728 INV.3175001503.exe powershell.exe PID 1728 wrote to memory of 2608 1728 INV.3175001503.exe powershell.exe PID 1728 wrote to memory of 2608 1728 INV.3175001503.exe powershell.exe PID 1728 wrote to memory of 2608 1728 INV.3175001503.exe powershell.exe PID 1728 wrote to memory of 2536 1728 INV.3175001503.exe schtasks.exe PID 1728 wrote to memory of 2536 1728 INV.3175001503.exe schtasks.exe PID 1728 wrote to memory of 2536 1728 INV.3175001503.exe schtasks.exe PID 1728 wrote to memory of 2536 1728 INV.3175001503.exe schtasks.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe PID 1728 wrote to memory of 2508 1728 INV.3175001503.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV.3175001503.exe"C:\Users\Admin\AppData\Local\Temp\INV.3175001503.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INV.3175001503.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msumoHssgOfI.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\msumoHssgOfI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp401C.tmp"2⤵
- Creates scheduled task(s)
PID:2536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp401C.tmpFilesize
1KB
MD5e8c16f636e87b5a05c97c6f4ecda8fa4
SHA180e7e339ce990817fe558de949efb582cb30fd4c
SHA25614273ad7c3cfab8bb17d69bb86428ca5ca3d435d3b4913aee7fdc6edf06b8b7b
SHA512dadab4b4351f5f0801da34707d7a2ab2cfb89611baec170cdc8729409f6c52d7eb4aef6abc84480d7c0794aa49c52a7169ddedbbfc06c6414844d4f8f0e5e1fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD54b789b86c8eb2e6fc501b6043d1f8d60
SHA1b2ba136eebc0ae6acf1e40774486b6b47cc8d789
SHA2563c92d63659cbe31bf6011aba8c99e1f940fd4b479a6d96bd8d599ee5a97606d7
SHA512620d10a02b674b913f44aaa2f17fe9f4df0276de8dca641194d0f5f52716c91e22e18c6457664aaa786bdb882426df82ffa8243dfbd88f9a9212985a4faa18f4
-
memory/1728-0-0x0000000000320000-0x00000000003D6000-memory.dmpFilesize
728KB
-
memory/1728-1-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/1728-2-0x00000000021E0000-0x0000000002220000-memory.dmpFilesize
256KB
-
memory/1728-3-0x0000000001E40000-0x0000000001E52000-memory.dmpFilesize
72KB
-
memory/1728-4-0x0000000001EA0000-0x0000000001EAC000-memory.dmpFilesize
48KB
-
memory/1728-5-0x0000000005020000-0x00000000050A2000-memory.dmpFilesize
520KB
-
memory/1728-39-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/2508-23-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2508-25-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2508-43-0x0000000000AE0000-0x0000000000B20000-memory.dmpFilesize
256KB
-
memory/2508-42-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/2508-18-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2508-38-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/2508-32-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2508-37-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2508-35-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2508-20-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2508-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2516-29-0x00000000025E0000-0x0000000002620000-memory.dmpFilesize
256KB
-
memory/2516-31-0x00000000025E0000-0x0000000002620000-memory.dmpFilesize
256KB
-
memory/2516-22-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/2516-28-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/2516-41-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/2608-33-0x00000000028F0000-0x0000000002930000-memory.dmpFilesize
256KB
-
memory/2608-40-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/2608-26-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/2608-24-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB