Overview

overview

10

Static

static

3

TEKLİF TA...sx.exe

windows7-x64

10

TEKLİF TA...sx.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2024 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TEKLİF TALEP_xlsx.exe

  • Size

    668KB

  • MD5

    b2ebfbb63f7ccdff15e24e4ff801c986

  • SHA1

    584079acf1abc206fca557907ab0c258ebc21a9a

  • SHA256

    9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7

  • SHA512

    dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2

  • SSDEEP

    12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFRU:zsuMA7O9nZQktjs1+ps0CI1Ox6nRU

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe
    "C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4664
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp67F1.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:5064
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3800
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1200
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
            PID:4404

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp67F1.tmp.bat
      Filesize

      151B

      MD5

      77312db5bad940eaee2791d18fbd802e

      SHA1

      50bb18169018ed0c22437dd45dde9ef208ec5bbc

      SHA256

      cf6ba20eb72a81a869c2efbd001daaf92eca77c265262adbc3adb8e12213635a

      SHA512

      c295d5617f366f37bafc2935d8f7751797e128e19501d2dfa15f8492b01ec230b5af5e6f392c996ddd8994006aed9b3036b66b6253437f710e75683ef5afd895

      Download Submit
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      668KB

      MD5

      b2ebfbb63f7ccdff15e24e4ff801c986

      SHA1

      584079acf1abc206fca557907ab0c258ebc21a9a

      SHA256

      9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7

      SHA512

      dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2

      Download Submit
    • memory/1200-18-0x0000000005DE0000-0x0000000006384000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1200-26-0x0000000005820000-0x0000000005830000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1200-25-0x00000000750D0000-0x0000000075880000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1200-24-0x0000000006670000-0x000000000667A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1200-23-0x00000000066E0000-0x0000000006772000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1200-22-0x00000000065F0000-0x0000000006640000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1200-20-0x0000000005830000-0x0000000005896000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1200-19-0x0000000005820000-0x0000000005830000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1200-16-0x0000000000400000-0x0000000000440000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1200-17-0x00000000750D0000-0x0000000075880000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3800-21-0x00007FF9D2960000-0x00007FF9D3421000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3800-15-0x00007FF9D2960000-0x00007FF9D3421000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5092-11-0x00007FF9D2960000-0x00007FF9D3421000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5092-0-0x00000267DCDA0000-0x00000267DCDBA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/5092-5-0x00000267F7390000-0x00000267F7424000-memory.dmp
      Filesize

      592KB

      Download
    • memory/5092-4-0x00000267DEA50000-0x00000267DEA6E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/5092-3-0x00000267F9430000-0x00000267F94A6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/5092-2-0x00000267DEA40000-0x00000267DEA50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5092-1-0x00007FF9D2960000-0x00007FF9D3421000-memory.dmp
      Filesize

      10.8MB

      Download