Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 07:02
Static task
static1
Behavioral task
behavioral1
Sample
TEKLİF TALEP_xlsx.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TEKLİF TALEP_xlsx.exe
Resource
win10v2004-20240226-en
General
-
Target
TEKLİF TALEP_xlsx.exe
-
Size
668KB
-
MD5
b2ebfbb63f7ccdff15e24e4ff801c986
-
SHA1
584079acf1abc206fca557907ab0c258ebc21a9a
-
SHA256
9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7
-
SHA512
dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2
-
SSDEEP
12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFRU:zsuMA7O9nZQktjs1+ps0CI1Ox6nRU
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2688 svchost.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exeWerFault.exepid process 2532 cmd.exe 2524 WerFault.exe 2524 WerFault.exe 2524 WerFault.exe 2524 WerFault.exe 2524 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TEKLİF TALEP_xlsx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" TEKLİF TALEP_xlsx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2688 set thread context of 2448 2688 svchost.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2640 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
TEKLİF TALEP_xlsx.exesvchost.exepid process 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2192 TEKLİF TALEP_xlsx.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
TEKLİF TALEP_xlsx.exesvchost.exejsc.exedescription pid process Token: SeDebugPrivilege 2192 TEKLİF TALEP_xlsx.exe Token: SeDebugPrivilege 2688 svchost.exe Token: SeDebugPrivilege 2448 jsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
TEKLİF TALEP_xlsx.execmd.execmd.exesvchost.exedescription pid process target process PID 2192 wrote to memory of 2496 2192 TEKLİF TALEP_xlsx.exe cmd.exe PID 2192 wrote to memory of 2496 2192 TEKLİF TALEP_xlsx.exe cmd.exe PID 2192 wrote to memory of 2496 2192 TEKLİF TALEP_xlsx.exe cmd.exe PID 2192 wrote to memory of 2532 2192 TEKLİF TALEP_xlsx.exe cmd.exe PID 2192 wrote to memory of 2532 2192 TEKLİF TALEP_xlsx.exe cmd.exe PID 2192 wrote to memory of 2532 2192 TEKLİF TALEP_xlsx.exe cmd.exe PID 2496 wrote to memory of 2544 2496 cmd.exe schtasks.exe PID 2496 wrote to memory of 2544 2496 cmd.exe schtasks.exe PID 2496 wrote to memory of 2544 2496 cmd.exe schtasks.exe PID 2532 wrote to memory of 2640 2532 cmd.exe timeout.exe PID 2532 wrote to memory of 2640 2532 cmd.exe timeout.exe PID 2532 wrote to memory of 2640 2532 cmd.exe timeout.exe PID 2532 wrote to memory of 2688 2532 cmd.exe svchost.exe PID 2532 wrote to memory of 2688 2532 cmd.exe svchost.exe PID 2532 wrote to memory of 2688 2532 cmd.exe svchost.exe PID 2688 wrote to memory of 2448 2688 svchost.exe jsc.exe PID 2688 wrote to memory of 2448 2688 svchost.exe jsc.exe PID 2688 wrote to memory of 2448 2688 svchost.exe jsc.exe PID 2688 wrote to memory of 2448 2688 svchost.exe jsc.exe PID 2688 wrote to memory of 2448 2688 svchost.exe jsc.exe PID 2688 wrote to memory of 2448 2688 svchost.exe jsc.exe PID 2688 wrote to memory of 2448 2688 svchost.exe jsc.exe PID 2688 wrote to memory of 2448 2688 svchost.exe jsc.exe PID 2688 wrote to memory of 2448 2688 svchost.exe jsc.exe PID 2688 wrote to memory of 2524 2688 svchost.exe WerFault.exe PID 2688 wrote to memory of 2524 2688 svchost.exe WerFault.exe PID 2688 wrote to memory of 2524 2688 svchost.exe WerFault.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2688 -s 7364⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.batFilesize
151B
MD519ec435b1a0be23ef1a9e86bc4291f32
SHA136504d8366ea847c35b83d8704b547210b58756a
SHA2569e4972973e3e1a2f95bdfce15bb1ec56172acd570167447d86633aa7b65e0b35
SHA51228ffb822131e441f049bae1c4d959165db65f7966c05049b7152b95b8016b042f0ed9435a805215997407a66f53091078a6ea05a2d51560501015362185c0f44
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
668KB
MD5b2ebfbb63f7ccdff15e24e4ff801c986
SHA1584079acf1abc206fca557907ab0c258ebc21a9a
SHA2569b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7
SHA512dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2
-
memory/2192-0-0x00000000001C0000-0x00000000001DA000-memory.dmpFilesize
104KB
-
memory/2192-1-0x000007FEF5D40000-0x000007FEF672C000-memory.dmpFilesize
9.9MB
-
memory/2192-2-0x000000001B3E0000-0x000000001B460000-memory.dmpFilesize
512KB
-
memory/2192-3-0x000000001B320000-0x000000001B3B4000-memory.dmpFilesize
592KB
-
memory/2192-12-0x000007FEF5D40000-0x000007FEF672C000-memory.dmpFilesize
9.9MB
-
memory/2448-21-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2448-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2448-43-0x0000000074C10000-0x00000000752FE000-memory.dmpFilesize
6.9MB
-
memory/2448-39-0x0000000074C10000-0x00000000752FE000-memory.dmpFilesize
6.9MB
-
memory/2448-25-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2448-23-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2448-27-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2448-34-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2448-30-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2448-32-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2688-19-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmpFilesize
9.9MB
-
memory/2688-18-0x0000000000BA0000-0x0000000000BBA000-memory.dmpFilesize
104KB
-
memory/2688-41-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmpFilesize
9.9MB
-
memory/2688-42-0x000000001B180000-0x000000001B200000-memory.dmpFilesize
512KB
-
memory/2688-20-0x000000001B180000-0x000000001B200000-memory.dmpFilesize
512KB