Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe
Resource
win10v2004-20240226-en
General
-
Target
296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe
-
Size
701KB
-
MD5
327c191bb646304011467099c3f34bf7
-
SHA1
7aeb7022116dc9276e0043cbf06d933cf912a9ae
-
SHA256
296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0
-
SHA512
91651f184cedeb5f201a6086d2aa99d1c554aa95daa324d0cba88dda379dcdc7aa29c3db7831c79d465770a6db4f334166726660c2eb9f78b0182046eb68dcdd
-
SSDEEP
12288:0KcFtImAFhhs+0Y6S415FauQ/xtO3UW67qGUt64BnP7d2qPV7ldeKwm7KR/:0K061Fhhs7Y6/XFDQkLGqG6P7d2qPJls
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.issltd.org - Port:
587 - Username:
[email protected] - Password:
iss123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 api.ipify.org 19 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exedescription pid Process procid_target PID 2380 set thread context of 4424 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exepowershell.exepowershell.exeRegSvcs.exepid Process 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 3940 powershell.exe 3940 powershell.exe 2696 powershell.exe 2696 powershell.exe 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 4424 RegSvcs.exe 4424 RegSvcs.exe 4424 RegSvcs.exe 3940 powershell.exe 2696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exepowershell.exepowershell.exeRegSvcs.exedescription pid Process Token: SeDebugPrivilege 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe Token: SeDebugPrivilege 3940 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 4424 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exedescription pid Process procid_target PID 2380 wrote to memory of 2696 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 95 PID 2380 wrote to memory of 2696 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 95 PID 2380 wrote to memory of 2696 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 95 PID 2380 wrote to memory of 3940 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 97 PID 2380 wrote to memory of 3940 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 97 PID 2380 wrote to memory of 3940 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 97 PID 2380 wrote to memory of 944 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 99 PID 2380 wrote to memory of 944 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 99 PID 2380 wrote to memory of 944 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 99 PID 2380 wrote to memory of 4424 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 101 PID 2380 wrote to memory of 4424 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 101 PID 2380 wrote to memory of 4424 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 101 PID 2380 wrote to memory of 4424 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 101 PID 2380 wrote to memory of 4424 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 101 PID 2380 wrote to memory of 4424 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 101 PID 2380 wrote to memory of 4424 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 101 PID 2380 wrote to memory of 4424 2380 296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe"C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\296644cbf62c9afb38038bba97812923c98c82c0d2413366225afcaa405fb8d0.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xanAlavQkh.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xanAlavQkh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F73.tmp"2⤵
- Creates scheduled task(s)
PID:944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD540ba1f75d244245ee1d71aa98dd9677a
SHA1afd440b0705aa29eb49fa16988682de0726eabff
SHA25695db9c977880e5970a522fd98ddb125efbbeef31e5bd7923040a34dc34e636d2
SHA512501c68c82ae836fbfab1c7a6d90dcba2d42c432be1f42933566ccef51be25ba50b0d7b52ee394463cd586ba79423b722f18206890522d776db09b4a8bc8d0e11
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5fd76ed92e33d068be5b4f32dbfceaeb1
SHA1a62318bfcd966d30f83c41f95b0831116f25862f
SHA256f9d749a1ea7822f30cff470dfeefa4579f065ef263e4f49a6a985a61e8311996
SHA5121feff4a4235ba4c1ceeedd7392e3de7e15bce51fe81293dd6d2d42e7ec74dbfb5712cd20d59433175bc778b3c6dcd8921c60c3b1692bb384357dadeb0217fd83