Overview

overview

10

Static

static

3

TEKLİF TA...sx.exe

windows7-x64

10

TEKLİF TA...sx.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2024 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TEKLİF TALEP_xlsx.exe

  • Size

    668KB

  • MD5

    b2ebfbb63f7ccdff15e24e4ff801c986

  • SHA1

    584079acf1abc206fca557907ab0c258ebc21a9a

  • SHA256

    9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7

  • SHA512

    dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2

  • SSDEEP

    12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFRU:zsuMA7O9nZQktjs1+ps0CI1Ox6nRU

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe
    "C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2544
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2640
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2448
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2688 -s 736
          4⤵
          • Loads dropped DLL
          PID:2524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.bat
    Filesize

    151B

    MD5

    19ec435b1a0be23ef1a9e86bc4291f32

    SHA1

    36504d8366ea847c35b83d8704b547210b58756a

    SHA256

    9e4972973e3e1a2f95bdfce15bb1ec56172acd570167447d86633aa7b65e0b35

    SHA512

    28ffb822131e441f049bae1c4d959165db65f7966c05049b7152b95b8016b042f0ed9435a805215997407a66f53091078a6ea05a2d51560501015362185c0f44

    Download Submit
  • \Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    668KB

    MD5

    b2ebfbb63f7ccdff15e24e4ff801c986

    SHA1

    584079acf1abc206fca557907ab0c258ebc21a9a

    SHA256

    9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7

    SHA512

    dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2

    Download Submit
  • memory/2192-0-0x00000000001C0000-0x00000000001DA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2192-1-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2192-2-0x000000001B3E0000-0x000000001B460000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2192-3-0x000000001B320000-0x000000001B3B4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2192-12-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2448-21-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2448-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2448-43-0x0000000074C10000-0x00000000752FE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2448-39-0x0000000074C10000-0x00000000752FE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2448-25-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2448-23-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2448-27-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2448-34-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2448-30-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2448-32-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2688-19-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2688-18-0x0000000000BA0000-0x0000000000BBA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2688-41-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2688-42-0x000000001B180000-0x000000001B200000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2688-20-0x000000001B180000-0x000000001B200000-memory.dmp
    Filesize

    512KB

    Download