Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 06:59
Static task
static1
Behavioral task
behavioral1
Sample
TEKLİF TALEP_xlsx.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TEKLİF TALEP_xlsx.exe
Resource
win10v2004-20240226-en
General
-
Target
TEKLİF TALEP_xlsx.exe
-
Size
668KB
-
MD5
b2ebfbb63f7ccdff15e24e4ff801c986
-
SHA1
584079acf1abc206fca557907ab0c258ebc21a9a
-
SHA256
9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7
-
SHA512
dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2
-
SSDEEP
12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFRU:zsuMA7O9nZQktjs1+ps0CI1Ox6nRU
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2604 svchost.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exeWerFault.exepid process 2648 cmd.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TEKLİF TALEP_xlsx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" TEKLİF TALEP_xlsx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2604 set thread context of 2736 2604 svchost.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2444 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
TEKLİF TALEP_xlsx.exesvchost.exepid process 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2864 TEKLİF TALEP_xlsx.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
TEKLİF TALEP_xlsx.exesvchost.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 2864 TEKLİF TALEP_xlsx.exe Token: SeDebugPrivilege 2604 svchost.exe Token: SeDebugPrivilege 2736 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
TEKLİF TALEP_xlsx.execmd.execmd.exesvchost.exedescription pid process target process PID 2864 wrote to memory of 2264 2864 TEKLİF TALEP_xlsx.exe cmd.exe PID 2864 wrote to memory of 2264 2864 TEKLİF TALEP_xlsx.exe cmd.exe PID 2864 wrote to memory of 2264 2864 TEKLİF TALEP_xlsx.exe cmd.exe PID 2864 wrote to memory of 2648 2864 TEKLİF TALEP_xlsx.exe cmd.exe PID 2864 wrote to memory of 2648 2864 TEKLİF TALEP_xlsx.exe cmd.exe PID 2864 wrote to memory of 2648 2864 TEKLİF TALEP_xlsx.exe cmd.exe PID 2264 wrote to memory of 2636 2264 cmd.exe schtasks.exe PID 2264 wrote to memory of 2636 2264 cmd.exe schtasks.exe PID 2264 wrote to memory of 2636 2264 cmd.exe schtasks.exe PID 2648 wrote to memory of 2444 2648 cmd.exe timeout.exe PID 2648 wrote to memory of 2444 2648 cmd.exe timeout.exe PID 2648 wrote to memory of 2444 2648 cmd.exe timeout.exe PID 2648 wrote to memory of 2604 2648 cmd.exe svchost.exe PID 2648 wrote to memory of 2604 2648 cmd.exe svchost.exe PID 2648 wrote to memory of 2604 2648 cmd.exe svchost.exe PID 2604 wrote to memory of 2736 2604 svchost.exe AddInProcess32.exe PID 2604 wrote to memory of 2736 2604 svchost.exe AddInProcess32.exe PID 2604 wrote to memory of 2736 2604 svchost.exe AddInProcess32.exe PID 2604 wrote to memory of 2736 2604 svchost.exe AddInProcess32.exe PID 2604 wrote to memory of 2736 2604 svchost.exe AddInProcess32.exe PID 2604 wrote to memory of 2736 2604 svchost.exe AddInProcess32.exe PID 2604 wrote to memory of 2736 2604 svchost.exe AddInProcess32.exe PID 2604 wrote to memory of 2736 2604 svchost.exe AddInProcess32.exe PID 2604 wrote to memory of 2736 2604 svchost.exe AddInProcess32.exe PID 2604 wrote to memory of 2448 2604 svchost.exe WerFault.exe PID 2604 wrote to memory of 2448 2604 svchost.exe WerFault.exe PID 2604 wrote to memory of 2448 2604 svchost.exe WerFault.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp259A.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2604 -s 7324⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp259A.tmp.batFilesize
151B
MD5d6ea2d5d65e2c9f513b84409aedb09ac
SHA1f829aba9764bb1123d12657034e8f05d6377febe
SHA25644fc358f8f4b8142f1bd6366aac246d335677845e484ebd5086d49dd207e3f11
SHA512e4e4342b7ae026a1f3b8096184ec5349c20cf832b927a1ec3dff2b19fd8cf023b4b4607be82a991bb696298a3154f79adc6dc9c6050f893e8e4763298545800b
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
668KB
MD5b2ebfbb63f7ccdff15e24e4ff801c986
SHA1584079acf1abc206fca557907ab0c258ebc21a9a
SHA2569b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7
SHA512dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2
-
memory/2604-19-0x0000000000040000-0x000000000005A000-memory.dmpFilesize
104KB
-
memory/2604-38-0x000000001B360000-0x000000001B3E0000-memory.dmpFilesize
512KB
-
memory/2604-37-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmpFilesize
9.9MB
-
memory/2604-20-0x000000001B360000-0x000000001B3E0000-memory.dmpFilesize
512KB
-
memory/2604-18-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmpFilesize
9.9MB
-
memory/2736-26-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2736-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2736-39-0x0000000074820000-0x0000000074F0E000-memory.dmpFilesize
6.9MB
-
memory/2736-24-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2736-23-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2736-22-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2736-21-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2736-36-0x0000000074820000-0x0000000074F0E000-memory.dmpFilesize
6.9MB
-
memory/2736-30-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2736-28-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2864-0-0x0000000000890000-0x00000000008AA000-memory.dmpFilesize
104KB
-
memory/2864-13-0x000007FEF5A50000-0x000007FEF643C000-memory.dmpFilesize
9.9MB
-
memory/2864-2-0x000000001B200000-0x000000001B280000-memory.dmpFilesize
512KB
-
memory/2864-1-0x000007FEF5A50000-0x000007FEF643C000-memory.dmpFilesize
9.9MB
-
memory/2864-3-0x000000001B3F0000-0x000000001B484000-memory.dmpFilesize
592KB