Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
CREDIT NOTE.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
CREDIT NOTE.exe
Resource
win10v2004-20240412-en
General
-
Target
CREDIT NOTE.exe
-
Size
827KB
-
MD5
44b581457172335dd3903c5bf659a035
-
SHA1
9415e8affeae395c04046a9189414b4787291f14
-
SHA256
8b3133696ef1e7609974f8084f6ca977ab74db7c688fa7b8df83b2e9231f1764
-
SHA512
e76c5f05cc83f43f6adfe490df29e6514c1f5b8428ac878a92300b36053fcef1bd987969ddcc8c3ea7c25ffa58cf287456b462f1cbba39f5e3392cc65403035a
-
SSDEEP
12288:T9CF9WMGkyCehy9LdriuW3hny6SNZX2/paka16cMRTjfxwNGNUt842vB8x8xqirq:ZC2MreQLMrF/pa1yRTbNey42vudgZM
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.unitechautomations.com - Port:
587 - Username:
[email protected] - Password:
Unitech@123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2444-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2444-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2444-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2444-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2444-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2444-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2444-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2444-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2444-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2444-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2444-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2444-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
CREDIT NOTE.exepowershell.exepowershell.exepid process 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2504 powershell.exe 2656 powershell.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe 2204 CREDIT NOTE.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
CREDIT NOTE.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2204 CREDIT NOTE.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
CREDIT NOTE.exedescription pid process target process PID 2204 wrote to memory of 2504 2204 CREDIT NOTE.exe powershell.exe PID 2204 wrote to memory of 2504 2204 CREDIT NOTE.exe powershell.exe PID 2204 wrote to memory of 2504 2204 CREDIT NOTE.exe powershell.exe PID 2204 wrote to memory of 2504 2204 CREDIT NOTE.exe powershell.exe PID 2204 wrote to memory of 2656 2204 CREDIT NOTE.exe powershell.exe PID 2204 wrote to memory of 2656 2204 CREDIT NOTE.exe powershell.exe PID 2204 wrote to memory of 2656 2204 CREDIT NOTE.exe powershell.exe PID 2204 wrote to memory of 2656 2204 CREDIT NOTE.exe powershell.exe PID 2204 wrote to memory of 2828 2204 CREDIT NOTE.exe schtasks.exe PID 2204 wrote to memory of 2828 2204 CREDIT NOTE.exe schtasks.exe PID 2204 wrote to memory of 2828 2204 CREDIT NOTE.exe schtasks.exe PID 2204 wrote to memory of 2828 2204 CREDIT NOTE.exe schtasks.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe PID 2204 wrote to memory of 2444 2204 CREDIT NOTE.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CREDIT NOTE.exe"C:\Users\Admin\AppData\Local\Temp\CREDIT NOTE.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CREDIT NOTE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\itqsdfDZLZo.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\itqsdfDZLZo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67D7.tmp"2⤵
- Creates scheduled task(s)
PID:2828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp67D7.tmpFilesize
1KB
MD5b53f9fcd60f7151e331581f0af01bc34
SHA1f1263cbe25ed83e1b8642b45735c9a19f940b15c
SHA256630309ed6bfa62b8a7b4eb4820921fbd9952a845c8f5eef832d612c541200479
SHA5120d092d94b4eec3dbe475f540daf28cc92942095f790d08335cb7585b81deb01c51451100bd8b7f118bf97f21ca2f986d477c417bd36279dbd4ef346229c6f6ac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD54bc444f361d52f660c6ece4dd9009e99
SHA183ed55b8faac9a927c475ccfa039846883d322df
SHA256695cc1b8829667337f86aec1ef30fd2f2afc40cb32ed5b4f2cd80737726f5d32
SHA51230cc3caa5004d341823e9c970d407b067b6252a320fdf8a2db9f324706014984824e1bfc54b060ad4a795db904b42d8e349f1c14c72fb2ff8d4d2b66ed231654
-
memory/2204-0-0x0000000000F10000-0x0000000000FE4000-memory.dmpFilesize
848KB
-
memory/2204-1-0x0000000074790000-0x0000000074E7E000-memory.dmpFilesize
6.9MB
-
memory/2204-2-0x0000000004780000-0x00000000047C0000-memory.dmpFilesize
256KB
-
memory/2204-3-0x0000000000550000-0x0000000000568000-memory.dmpFilesize
96KB
-
memory/2204-4-0x0000000000600000-0x000000000060E000-memory.dmpFilesize
56KB
-
memory/2204-5-0x00000000009E0000-0x00000000009F4000-memory.dmpFilesize
80KB
-
memory/2204-6-0x0000000005B30000-0x0000000005BB4000-memory.dmpFilesize
528KB
-
memory/2204-41-0x0000000004780000-0x00000000047C0000-memory.dmpFilesize
256KB
-
memory/2204-40-0x0000000074790000-0x0000000074E7E000-memory.dmpFilesize
6.9MB
-
memory/2444-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2444-33-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2444-20-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2444-24-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2444-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2504-32-0x0000000002840000-0x0000000002880000-memory.dmpFilesize
256KB
-
memory/2504-30-0x0000000002840000-0x0000000002880000-memory.dmpFilesize
256KB
-
memory/2504-23-0x0000000002840000-0x0000000002880000-memory.dmpFilesize
256KB
-
memory/2504-27-0x000000006E800000-0x000000006EDAB000-memory.dmpFilesize
5.7MB
-
memory/2504-39-0x000000006E800000-0x000000006EDAB000-memory.dmpFilesize
5.7MB
-
memory/2504-21-0x000000006E800000-0x000000006EDAB000-memory.dmpFilesize
5.7MB
-
memory/2656-34-0x0000000002EB0000-0x0000000002EF0000-memory.dmpFilesize
256KB
-
memory/2656-36-0x0000000002EB0000-0x0000000002EF0000-memory.dmpFilesize
256KB
-
memory/2656-25-0x000000006E800000-0x000000006EDAB000-memory.dmpFilesize
5.7MB
-
memory/2656-28-0x0000000002EB0000-0x0000000002EF0000-memory.dmpFilesize
256KB
-
memory/2656-38-0x000000006E800000-0x000000006EDAB000-memory.dmpFilesize
5.7MB
-
memory/2656-19-0x000000006E800000-0x000000006EDAB000-memory.dmpFilesize
5.7MB