Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
Resource
win10v2004-20240319-en
General
-
Target
8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
-
Size
610KB
-
MD5
66e196c15ec46d1e7526b1c48da1b72a
-
SHA1
f9b2dc950a21c296aaf57a013c3f4e93f8ebbad2
-
SHA256
8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9
-
SHA512
f8d8241d5af76033ba83caff888d325285110356b8e35175260a912cf416670465d218d7c550b9f15cc969bc2f53381cb8e41dd4f9a859cae65e4df600b6f851
-
SSDEEP
12288:yRfHhxVzsP5wzyNwv5gs3MjeNPq0wKrCHrT3GQzRVPUYvV3L2dXEg:yXxU5wzaktc4PEWCHfGQzbPfvFydXEg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2432 svchost.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exeWerFault.exepid process 2728 cmd.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2432 set thread context of 1928 2432 svchost.exe regasm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1648 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exesvchost.exepid process 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exesvchost.exepowershell.exeregasm.exedescription pid process Token: SeDebugPrivilege 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe Token: SeDebugPrivilege 2432 svchost.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1928 regasm.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.execmd.execmd.exesvchost.exedescription pid process target process PID 2204 wrote to memory of 2116 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe cmd.exe PID 2204 wrote to memory of 2116 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe cmd.exe PID 2204 wrote to memory of 2116 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe cmd.exe PID 2204 wrote to memory of 2728 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe cmd.exe PID 2204 wrote to memory of 2728 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe cmd.exe PID 2204 wrote to memory of 2728 2204 8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe cmd.exe PID 2728 wrote to memory of 1648 2728 cmd.exe timeout.exe PID 2728 wrote to memory of 1648 2728 cmd.exe timeout.exe PID 2728 wrote to memory of 1648 2728 cmd.exe timeout.exe PID 2116 wrote to memory of 2664 2116 cmd.exe schtasks.exe PID 2116 wrote to memory of 2664 2116 cmd.exe schtasks.exe PID 2116 wrote to memory of 2664 2116 cmd.exe schtasks.exe PID 2728 wrote to memory of 2432 2728 cmd.exe svchost.exe PID 2728 wrote to memory of 2432 2728 cmd.exe svchost.exe PID 2728 wrote to memory of 2432 2728 cmd.exe svchost.exe PID 2432 wrote to memory of 2420 2432 svchost.exe powershell.exe PID 2432 wrote to memory of 2420 2432 svchost.exe powershell.exe PID 2432 wrote to memory of 2420 2432 svchost.exe powershell.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 1928 2432 svchost.exe regasm.exe PID 2432 wrote to memory of 2628 2432 svchost.exe WerFault.exe PID 2432 wrote to memory of 2628 2432 svchost.exe WerFault.exe PID 2432 wrote to memory of 2628 2432 svchost.exe WerFault.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe"C:\Users\Admin\AppData\Local\Temp\8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2664 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp758D.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1648 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2432 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2432 -s 8324⤵
- Loads dropped DLL
PID:2628
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp758D.tmp.batFilesize
151B
MD58805cd9be32ad32d09dee5a04b102fc6
SHA12545ed2d48e545ac33da3cf758573b676d0c97d2
SHA256f86e1b38eb7163879716573659ea5a5af42f411df99d7e95dc97d582452b111e
SHA512632f1ea4557a61b93d0ef5ab905af952c8a8f4bb6aef1e5761d59358954c79422c2dd2417bcb4396c7d1f7337035e8c75e2943829cd19c2cf48b019f0281fe31
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
610KB
MD566e196c15ec46d1e7526b1c48da1b72a
SHA1f9b2dc950a21c296aaf57a013c3f4e93f8ebbad2
SHA2568c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9
SHA512f8d8241d5af76033ba83caff888d325285110356b8e35175260a912cf416670465d218d7c550b9f15cc969bc2f53381cb8e41dd4f9a859cae65e4df600b6f851
-
memory/1928-42-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1928-45-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1928-34-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1928-37-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1928-40-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1928-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1928-49-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1928-47-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2204-14-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/2204-1-0x000007FEF59A0000-0x000007FEF638C000-memory.dmpFilesize
9.9MB
-
memory/2204-0-0x0000000000010000-0x000000000001C000-memory.dmpFilesize
48KB
-
memory/2204-3-0x000000001B2B0000-0x000000001B330000-memory.dmpFilesize
512KB
-
memory/2204-2-0x000000001B2B0000-0x000000001B330000-memory.dmpFilesize
512KB
-
memory/2204-4-0x000000001B460000-0x000000001B4F4000-memory.dmpFilesize
592KB
-
memory/2420-31-0x000007FEEF5A0000-0x000007FEEFF3D000-memory.dmpFilesize
9.6MB
-
memory/2420-32-0x0000000002350000-0x00000000023D0000-memory.dmpFilesize
512KB
-
memory/2420-35-0x0000000002350000-0x00000000023D0000-memory.dmpFilesize
512KB
-
memory/2420-30-0x0000000002350000-0x00000000023D0000-memory.dmpFilesize
512KB
-
memory/2420-33-0x0000000002350000-0x00000000023D0000-memory.dmpFilesize
512KB
-
memory/2420-29-0x000007FEEF5A0000-0x000007FEEFF3D000-memory.dmpFilesize
9.6MB
-
memory/2420-39-0x000007FEEF5A0000-0x000007FEEFF3D000-memory.dmpFilesize
9.6MB
-
memory/2420-28-0x00000000022A0000-0x00000000022A8000-memory.dmpFilesize
32KB
-
memory/2420-27-0x000000001B3A0000-0x000000001B682000-memory.dmpFilesize
2.9MB
-
memory/2432-22-0x000000001B080000-0x000000001B100000-memory.dmpFilesize
512KB
-
memory/2432-21-0x000000001B080000-0x000000001B100000-memory.dmpFilesize
512KB
-
memory/2432-20-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmpFilesize
9.9MB
-
memory/2432-19-0x00000000013D0000-0x00000000013DC000-memory.dmpFilesize
48KB
-
memory/2432-55-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmpFilesize
9.9MB
-
memory/2432-56-0x000000001B080000-0x000000001B100000-memory.dmpFilesize
512KB
-
memory/2432-57-0x000000001B080000-0x000000001B100000-memory.dmpFilesize
512KB