Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 07:02
Static task
static1
Behavioral task
behavioral1
Sample
TEKLİF TALEP_xlsx.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TEKLİF TALEP_xlsx.exe
Resource
win10v2004-20240226-en
General
-
Target
TEKLİF TALEP_xlsx.exe
-
Size
668KB
-
MD5
b2ebfbb63f7ccdff15e24e4ff801c986
-
SHA1
584079acf1abc206fca557907ab0c258ebc21a9a
-
SHA256
9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7
-
SHA512
dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2
-
SSDEEP
12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFRU:zsuMA7O9nZQktjs1+ps0CI1Ox6nRU
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TEKLİF TALEP_xlsx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation TEKLİF TALEP_xlsx.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3800 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TEKLİF TALEP_xlsx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" TEKLİF TALEP_xlsx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3800 set thread context of 1200 3800 svchost.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5064 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
TEKLİF TALEP_xlsx.exesvchost.exepid process 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 5092 TEKLİF TALEP_xlsx.exe 3800 svchost.exe 3800 svchost.exe 3800 svchost.exe 3800 svchost.exe 3800 svchost.exe 3800 svchost.exe 3800 svchost.exe 3800 svchost.exe 3800 svchost.exe 3800 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
TEKLİF TALEP_xlsx.exesvchost.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 5092 TEKLİF TALEP_xlsx.exe Token: SeDebugPrivilege 3800 svchost.exe Token: SeDebugPrivilege 1200 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
TEKLİF TALEP_xlsx.execmd.execmd.exesvchost.exedescription pid process target process PID 5092 wrote to memory of 1612 5092 TEKLİF TALEP_xlsx.exe cmd.exe PID 5092 wrote to memory of 1612 5092 TEKLİF TALEP_xlsx.exe cmd.exe PID 5092 wrote to memory of 1288 5092 TEKLİF TALEP_xlsx.exe cmd.exe PID 5092 wrote to memory of 1288 5092 TEKLİF TALEP_xlsx.exe cmd.exe PID 1612 wrote to memory of 4664 1612 cmd.exe schtasks.exe PID 1612 wrote to memory of 4664 1612 cmd.exe schtasks.exe PID 1288 wrote to memory of 5064 1288 cmd.exe timeout.exe PID 1288 wrote to memory of 5064 1288 cmd.exe timeout.exe PID 1288 wrote to memory of 3800 1288 cmd.exe svchost.exe PID 1288 wrote to memory of 3800 1288 cmd.exe svchost.exe PID 3800 wrote to memory of 1200 3800 svchost.exe AddInProcess32.exe PID 3800 wrote to memory of 1200 3800 svchost.exe AddInProcess32.exe PID 3800 wrote to memory of 1200 3800 svchost.exe AddInProcess32.exe PID 3800 wrote to memory of 1200 3800 svchost.exe AddInProcess32.exe PID 3800 wrote to memory of 1200 3800 svchost.exe AddInProcess32.exe PID 3800 wrote to memory of 1200 3800 svchost.exe AddInProcess32.exe PID 3800 wrote to memory of 1200 3800 svchost.exe AddInProcess32.exe PID 3800 wrote to memory of 1200 3800 svchost.exe AddInProcess32.exe PID 3800 wrote to memory of 4404 3800 svchost.exe AddInProcess32.exe PID 3800 wrote to memory of 4404 3800 svchost.exe AddInProcess32.exe PID 3800 wrote to memory of 4404 3800 svchost.exe AddInProcess32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp67F1.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp67F1.tmp.batFilesize
151B
MD577312db5bad940eaee2791d18fbd802e
SHA150bb18169018ed0c22437dd45dde9ef208ec5bbc
SHA256cf6ba20eb72a81a869c2efbd001daaf92eca77c265262adbc3adb8e12213635a
SHA512c295d5617f366f37bafc2935d8f7751797e128e19501d2dfa15f8492b01ec230b5af5e6f392c996ddd8994006aed9b3036b66b6253437f710e75683ef5afd895
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
668KB
MD5b2ebfbb63f7ccdff15e24e4ff801c986
SHA1584079acf1abc206fca557907ab0c258ebc21a9a
SHA2569b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7
SHA512dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2
-
memory/1200-18-0x0000000005DE0000-0x0000000006384000-memory.dmpFilesize
5.6MB
-
memory/1200-26-0x0000000005820000-0x0000000005830000-memory.dmpFilesize
64KB
-
memory/1200-25-0x00000000750D0000-0x0000000075880000-memory.dmpFilesize
7.7MB
-
memory/1200-24-0x0000000006670000-0x000000000667A000-memory.dmpFilesize
40KB
-
memory/1200-23-0x00000000066E0000-0x0000000006772000-memory.dmpFilesize
584KB
-
memory/1200-22-0x00000000065F0000-0x0000000006640000-memory.dmpFilesize
320KB
-
memory/1200-20-0x0000000005830000-0x0000000005896000-memory.dmpFilesize
408KB
-
memory/1200-19-0x0000000005820000-0x0000000005830000-memory.dmpFilesize
64KB
-
memory/1200-16-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1200-17-0x00000000750D0000-0x0000000075880000-memory.dmpFilesize
7.7MB
-
memory/3800-21-0x00007FF9D2960000-0x00007FF9D3421000-memory.dmpFilesize
10.8MB
-
memory/3800-15-0x00007FF9D2960000-0x00007FF9D3421000-memory.dmpFilesize
10.8MB
-
memory/5092-11-0x00007FF9D2960000-0x00007FF9D3421000-memory.dmpFilesize
10.8MB
-
memory/5092-0-0x00000267DCDA0000-0x00000267DCDBA000-memory.dmpFilesize
104KB
-
memory/5092-5-0x00000267F7390000-0x00000267F7424000-memory.dmpFilesize
592KB
-
memory/5092-4-0x00000267DEA50000-0x00000267DEA6E000-memory.dmpFilesize
120KB
-
memory/5092-3-0x00000267F9430000-0x00000267F94A6000-memory.dmpFilesize
472KB
-
memory/5092-2-0x00000267DEA40000-0x00000267DEA50000-memory.dmpFilesize
64KB
-
memory/5092-1-0x00007FF9D2960000-0x00007FF9D3421000-memory.dmpFilesize
10.8MB