Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 06:59
Static task
static1
Behavioral task
behavioral1
Sample
TEKLİF TALEP_xlsx.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TEKLİF TALEP_xlsx.exe
Resource
win10v2004-20240226-en
General
-
Target
TEKLİF TALEP_xlsx.exe
-
Size
668KB
-
MD5
b2ebfbb63f7ccdff15e24e4ff801c986
-
SHA1
584079acf1abc206fca557907ab0c258ebc21a9a
-
SHA256
9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7
-
SHA512
dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2
-
SSDEEP
12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFRU:zsuMA7O9nZQktjs1+ps0CI1Ox6nRU
Malware Config
Extracted
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TEKLİF TALEP_xlsx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation TEKLİF TALEP_xlsx.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4172 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TEKLİF TALEP_xlsx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" TEKLİF TALEP_xlsx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4172 set thread context of 3304 4172 svchost.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3340 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
TEKLİF TALEP_xlsx.exesvchost.exepid process 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 2308 TEKLİF TALEP_xlsx.exe 4172 svchost.exe 4172 svchost.exe 4172 svchost.exe 4172 svchost.exe 4172 svchost.exe 4172 svchost.exe 4172 svchost.exe 4172 svchost.exe 4172 svchost.exe 4172 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
TEKLİF TALEP_xlsx.exesvchost.exejsc.exedescription pid process Token: SeDebugPrivilege 2308 TEKLİF TALEP_xlsx.exe Token: SeDebugPrivilege 4172 svchost.exe Token: SeDebugPrivilege 3304 jsc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
TEKLİF TALEP_xlsx.execmd.execmd.exesvchost.exedescription pid process target process PID 2308 wrote to memory of 4536 2308 TEKLİF TALEP_xlsx.exe cmd.exe PID 2308 wrote to memory of 4536 2308 TEKLİF TALEP_xlsx.exe cmd.exe PID 2308 wrote to memory of 4628 2308 TEKLİF TALEP_xlsx.exe cmd.exe PID 2308 wrote to memory of 4628 2308 TEKLİF TALEP_xlsx.exe cmd.exe PID 4536 wrote to memory of 4344 4536 cmd.exe schtasks.exe PID 4536 wrote to memory of 4344 4536 cmd.exe schtasks.exe PID 4628 wrote to memory of 3340 4628 cmd.exe timeout.exe PID 4628 wrote to memory of 3340 4628 cmd.exe timeout.exe PID 4628 wrote to memory of 4172 4628 cmd.exe svchost.exe PID 4628 wrote to memory of 4172 4628 cmd.exe svchost.exe PID 4172 wrote to memory of 3304 4172 svchost.exe jsc.exe PID 4172 wrote to memory of 3304 4172 svchost.exe jsc.exe PID 4172 wrote to memory of 3304 4172 svchost.exe jsc.exe PID 4172 wrote to memory of 3304 4172 svchost.exe jsc.exe PID 4172 wrote to memory of 3304 4172 svchost.exe jsc.exe PID 4172 wrote to memory of 3304 4172 svchost.exe jsc.exe PID 4172 wrote to memory of 3304 4172 svchost.exe jsc.exe PID 4172 wrote to memory of 3304 4172 svchost.exe jsc.exe PID 4172 wrote to memory of 2228 4172 svchost.exe jsc.exe PID 4172 wrote to memory of 2228 4172 svchost.exe jsc.exe PID 4172 wrote to memory of 2228 4172 svchost.exe jsc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3577.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3577.tmp.batFilesize
151B
MD5868414d3c6a2d932ebd21e6302b54dc3
SHA1e606f27460f3e50d539e2d49e25f4a2542d46646
SHA256b2720b0e57be7b0b43f568fc54ca95ad44c6f79565703383e29902f9213e73d3
SHA5122dd528ca06fbe38b5a211ba00983cbc700412018ece0a7011dd6059ae1380f6cb59f878738c983d651d1a885e493e5da0e6eb4bc1da1a98b388b70de65b1b207
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
668KB
MD5b2ebfbb63f7ccdff15e24e4ff801c986
SHA1584079acf1abc206fca557907ab0c258ebc21a9a
SHA2569b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7
SHA512dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2
-
memory/2308-0-0x000001EA41190000-0x000001EA411AA000-memory.dmpFilesize
104KB
-
memory/2308-1-0x00007FFD2C0A0000-0x00007FFD2CB61000-memory.dmpFilesize
10.8MB
-
memory/2308-2-0x000001EA5B5B0000-0x000001EA5B5C0000-memory.dmpFilesize
64KB
-
memory/2308-3-0x000001EA5C0F0000-0x000001EA5C166000-memory.dmpFilesize
472KB
-
memory/2308-4-0x000001EA5B6F0000-0x000001EA5B70E000-memory.dmpFilesize
120KB
-
memory/2308-5-0x000001EA5C170000-0x000001EA5C204000-memory.dmpFilesize
592KB
-
memory/2308-10-0x00007FFD2C0A0000-0x00007FFD2CB61000-memory.dmpFilesize
10.8MB
-
memory/3304-16-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/3304-17-0x00000000744A0000-0x0000000074C50000-memory.dmpFilesize
7.7MB
-
memory/3304-18-0x0000000005D50000-0x00000000062F4000-memory.dmpFilesize
5.6MB
-
memory/3304-19-0x0000000005790000-0x00000000057A0000-memory.dmpFilesize
64KB
-
memory/3304-20-0x0000000005610000-0x0000000005676000-memory.dmpFilesize
408KB
-
memory/3304-23-0x0000000006640000-0x00000000066DC000-memory.dmpFilesize
624KB
-
memory/3304-22-0x0000000006550000-0x00000000065A0000-memory.dmpFilesize
320KB
-
memory/3304-24-0x0000000006B40000-0x0000000006BD2000-memory.dmpFilesize
584KB
-
memory/3304-25-0x0000000006AC0000-0x0000000006ACA000-memory.dmpFilesize
40KB
-
memory/3304-26-0x00000000744A0000-0x0000000074C50000-memory.dmpFilesize
7.7MB
-
memory/3304-27-0x0000000005790000-0x00000000057A0000-memory.dmpFilesize
64KB
-
memory/4172-15-0x00007FFD2B9C0000-0x00007FFD2C481000-memory.dmpFilesize
10.8MB
-
memory/4172-21-0x00007FFD2B9C0000-0x00007FFD2C481000-memory.dmpFilesize
10.8MB