Analysis
-
max time kernel
130s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240319-en -
resource tags
arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system -
submitted
28-03-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
TelexCopy.exe
Resource
win10-20240319-en
Behavioral task
behavioral2
Sample
TelexCopy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TelexCopy.exe
Resource
win11-20240214-en
General
-
Target
TelexCopy.exe
-
Size
772KB
-
MD5
f2168cd60deb04a9bd7817f31468e9cd
-
SHA1
2ddc74827c961308aeba829606edb7268808e4ce
-
SHA256
3da2acf6472e1cbc00e90110332f20a9c70d8ed0561ccfd4fe78322cdeeea5b4
-
SHA512
92a3009b69df37b01e06e471a8915fad5c2f868a87d014eb278bcc53504a18c66a9d352e0fcc335b93ba38608a4bb91d05e9a5fab7438c585d26e17b51e13e99
-
SSDEEP
12288:h4rGJKaRASEDRkQmnG2J7SEONrr+x3yu2bpPUCgJIhVyD4JgnJzG2wtV:2rae9Nk3GaSEOZr+x2bpcCgJI/0Y
Malware Config
Extracted
Protocol: smtp- Host:
mail.swife.co.ke - Port:
587 - Username:
swife@swife.co.ke - Password:
P@ss2024!!
Extracted
agenttesla
Protocol: smtp- Host:
mail.swife.co.ke - Port:
587 - Username:
swife@swife.co.ke - Password:
P@ss2024!! - Email To:
coco@glamourstorepa.com.br
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TelexCopy.exedescription pid process target process PID 3160 set thread context of 2416 3160 TelexCopy.exe TelexCopy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exeTelexCopy.exepid process 920 powershell.exe 3412 powershell.exe 2416 TelexCopy.exe 2416 TelexCopy.exe 920 powershell.exe 3412 powershell.exe 3412 powershell.exe 920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeTelexCopy.exedescription pid process Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 3412 powershell.exe Token: SeDebugPrivilege 2416 TelexCopy.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
TelexCopy.exedescription pid process target process PID 3160 wrote to memory of 920 3160 TelexCopy.exe powershell.exe PID 3160 wrote to memory of 920 3160 TelexCopy.exe powershell.exe PID 3160 wrote to memory of 920 3160 TelexCopy.exe powershell.exe PID 3160 wrote to memory of 3412 3160 TelexCopy.exe powershell.exe PID 3160 wrote to memory of 3412 3160 TelexCopy.exe powershell.exe PID 3160 wrote to memory of 3412 3160 TelexCopy.exe powershell.exe PID 3160 wrote to memory of 688 3160 TelexCopy.exe schtasks.exe PID 3160 wrote to memory of 688 3160 TelexCopy.exe schtasks.exe PID 3160 wrote to memory of 688 3160 TelexCopy.exe schtasks.exe PID 3160 wrote to memory of 2416 3160 TelexCopy.exe TelexCopy.exe PID 3160 wrote to memory of 2416 3160 TelexCopy.exe TelexCopy.exe PID 3160 wrote to memory of 2416 3160 TelexCopy.exe TelexCopy.exe PID 3160 wrote to memory of 2416 3160 TelexCopy.exe TelexCopy.exe PID 3160 wrote to memory of 2416 3160 TelexCopy.exe TelexCopy.exe PID 3160 wrote to memory of 2416 3160 TelexCopy.exe TelexCopy.exe PID 3160 wrote to memory of 2416 3160 TelexCopy.exe TelexCopy.exe PID 3160 wrote to memory of 2416 3160 TelexCopy.exe TelexCopy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelexCopy.exe"C:\Users\Admin\AppData\Local\Temp\TelexCopy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TelexCopy.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ChQxeCBRDlDTBo.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ChQxeCBRDlDTBo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC98A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TelexCopy.exe"C:\Users\Admin\AppData\Local\Temp\TelexCopy.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5e97ec343933a6e313a738017c020d1a3
SHA1a39c80b1912b9b4a84a46cd07aeac6062db35b1e
SHA2560113d6bb3c713f3eea322c7a6d5962ed42ae9f7403ba7654c35d951f57873379
SHA512172edd0c769c05dbc79abb58436e77b9faf57b6801bed894114ce6c1da64ca0ae7d05ddc6167796842686c361d031a8ad699b3e60e4ea58c271d855d5fce2d2f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_prpmlfx1.nam.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\tmpC98A.tmpFilesize
1KB
MD50ebcb04ea00f3327034051d50c15bf35
SHA14fa630449e3da63a0b9f75163c633dfe2e27e1ef
SHA25651d792e767e4f7386e5e241c612096b613938eb075931e1e1f8586f585ae2bd7
SHA5129ce8340bac8cdcf05e4918ccfecf6a002fc4e83390ab6781f3b9b0076a1fb392af573bdc6be71e577489b82e4b2c38f9b58fe562d2689e20ccb3c75e0fac6fac
-
memory/920-515-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/920-86-0x0000000009D80000-0x0000000009E25000-memory.dmpFilesize
660KB
-
memory/920-30-0x0000000007AC0000-0x0000000007AE2000-memory.dmpFilesize
136KB
-
memory/920-510-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/920-20-0x0000000007540000-0x0000000007550000-memory.dmpFilesize
64KB
-
memory/920-484-0x0000000007710000-0x0000000007718000-memory.dmpFilesize
32KB
-
memory/920-475-0x0000000007720000-0x000000000773A000-memory.dmpFilesize
104KB
-
memory/920-87-0x0000000007540000-0x0000000007550000-memory.dmpFilesize
64KB
-
memory/920-19-0x0000000007540000-0x0000000007550000-memory.dmpFilesize
64KB
-
memory/920-23-0x0000000007B80000-0x00000000081A8000-memory.dmpFilesize
6.2MB
-
memory/920-76-0x00000000707C0000-0x000000007080B000-memory.dmpFilesize
300KB
-
memory/920-73-0x000000007F010000-0x000000007F020000-memory.dmpFilesize
64KB
-
memory/920-18-0x00000000073C0000-0x00000000073F6000-memory.dmpFilesize
216KB
-
memory/920-38-0x0000000008890000-0x00000000088DB000-memory.dmpFilesize
300KB
-
memory/920-37-0x0000000008860000-0x000000000887C000-memory.dmpFilesize
112KB
-
memory/920-36-0x00000000084D0000-0x0000000008820000-memory.dmpFilesize
3.3MB
-
memory/920-32-0x0000000008280000-0x00000000082E6000-memory.dmpFilesize
408KB
-
memory/920-17-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/2416-34-0x0000000005890000-0x00000000058F6000-memory.dmpFilesize
408KB
-
memory/2416-116-0x0000000006570000-0x00000000065C0000-memory.dmpFilesize
320KB
-
memory/2416-33-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/2416-28-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2416-35-0x0000000005900000-0x0000000005910000-memory.dmpFilesize
64KB
-
memory/2416-518-0x0000000005900000-0x0000000005910000-memory.dmpFilesize
64KB
-
memory/2416-517-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/3160-4-0x0000000004B40000-0x0000000004B50000-memory.dmpFilesize
64KB
-
memory/3160-3-0x00000000049A0000-0x0000000004A32000-memory.dmpFilesize
584KB
-
memory/3160-0-0x00000000000A0000-0x0000000000166000-memory.dmpFilesize
792KB
-
memory/3160-9-0x0000000007630000-0x00000000076B2000-memory.dmpFilesize
520KB
-
memory/3160-1-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/3160-8-0x0000000004C60000-0x0000000004C6C000-memory.dmpFilesize
48KB
-
memory/3160-2-0x0000000004E00000-0x00000000052FE000-memory.dmpFilesize
5.0MB
-
memory/3160-7-0x0000000004C30000-0x0000000004C4A000-memory.dmpFilesize
104KB
-
memory/3160-10-0x0000000009D90000-0x0000000009E2C000-memory.dmpFilesize
624KB
-
memory/3160-31-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/3160-6-0x00000000071C0000-0x0000000007264000-memory.dmpFilesize
656KB
-
memory/3160-5-0x0000000004B20000-0x0000000004B2A000-memory.dmpFilesize
40KB
-
memory/3412-88-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/3412-89-0x00000000097B0000-0x0000000009844000-memory.dmpFilesize
592KB
-
memory/3412-24-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/3412-77-0x0000000009470000-0x000000000948E000-memory.dmpFilesize
120KB
-
memory/3412-74-0x0000000009490000-0x00000000094C3000-memory.dmpFilesize
204KB
-
memory/3412-75-0x00000000707C0000-0x000000007080B000-memory.dmpFilesize
300KB
-
memory/3412-72-0x000000007EE20000-0x000000007EE30000-memory.dmpFilesize
64KB
-
memory/3412-39-0x00000000083B0000-0x0000000008426000-memory.dmpFilesize
472KB
-
memory/3412-516-0x0000000073CC0000-0x00000000743AE000-memory.dmpFilesize
6.9MB
-
memory/3412-26-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB
-
memory/3412-27-0x0000000004A80000-0x0000000004A90000-memory.dmpFilesize
64KB