Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 01:21
Static task
static1
Behavioral task
behavioral1
Sample
CREDIT NOTE.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
CREDIT NOTE.exe
Resource
win10v2004-20240412-en
General
-
Target
CREDIT NOTE.exe
-
Size
827KB
-
MD5
44b581457172335dd3903c5bf659a035
-
SHA1
9415e8affeae395c04046a9189414b4787291f14
-
SHA256
8b3133696ef1e7609974f8084f6ca977ab74db7c688fa7b8df83b2e9231f1764
-
SHA512
e76c5f05cc83f43f6adfe490df29e6514c1f5b8428ac878a92300b36053fcef1bd987969ddcc8c3ea7c25ffa58cf287456b462f1cbba39f5e3392cc65403035a
-
SSDEEP
12288:T9CF9WMGkyCehy9LdriuW3hny6SNZX2/paka16cMRTjfxwNGNUt842vB8x8xqirq:ZC2MreQLMrF/pa1yRTbNey42vudgZM
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.unitechautomations.com - Port:
587 - Username:
[email protected] - Password:
Unitech@123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUIVTme = "C:\\Users\\Admin\\AppData\\Roaming\\GUIVTme\\GUIVTme.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CREDIT NOTE.exedescription pid process target process PID 2336 set thread context of 3056 2336 CREDIT NOTE.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
CREDIT NOTE.exepowershell.exepowershell.exeRegSvcs.exepid process 2336 CREDIT NOTE.exe 2336 CREDIT NOTE.exe 2336 CREDIT NOTE.exe 2336 CREDIT NOTE.exe 2336 CREDIT NOTE.exe 2620 powershell.exe 2572 powershell.exe 2336 CREDIT NOTE.exe 2336 CREDIT NOTE.exe 3056 RegSvcs.exe 3056 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
CREDIT NOTE.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2336 CREDIT NOTE.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 3056 RegSvcs.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
CREDIT NOTE.exedescription pid process target process PID 2336 wrote to memory of 2620 2336 CREDIT NOTE.exe powershell.exe PID 2336 wrote to memory of 2620 2336 CREDIT NOTE.exe powershell.exe PID 2336 wrote to memory of 2620 2336 CREDIT NOTE.exe powershell.exe PID 2336 wrote to memory of 2620 2336 CREDIT NOTE.exe powershell.exe PID 2336 wrote to memory of 2572 2336 CREDIT NOTE.exe powershell.exe PID 2336 wrote to memory of 2572 2336 CREDIT NOTE.exe powershell.exe PID 2336 wrote to memory of 2572 2336 CREDIT NOTE.exe powershell.exe PID 2336 wrote to memory of 2572 2336 CREDIT NOTE.exe powershell.exe PID 2336 wrote to memory of 2680 2336 CREDIT NOTE.exe schtasks.exe PID 2336 wrote to memory of 2680 2336 CREDIT NOTE.exe schtasks.exe PID 2336 wrote to memory of 2680 2336 CREDIT NOTE.exe schtasks.exe PID 2336 wrote to memory of 2680 2336 CREDIT NOTE.exe schtasks.exe PID 2336 wrote to memory of 2832 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 2832 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 2832 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 2832 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 2832 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 2832 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 2832 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe PID 2336 wrote to memory of 3056 2336 CREDIT NOTE.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CREDIT NOTE.exe"C:\Users\Admin\AppData\Local\Temp\CREDIT NOTE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CREDIT NOTE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\itqsdfDZLZo.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\itqsdfDZLZo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5985.tmp"2⤵
- Creates scheduled task(s)
PID:2680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2832
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5985.tmpFilesize
1KB
MD5b53f9fcd60f7151e331581f0af01bc34
SHA1f1263cbe25ed83e1b8642b45735c9a19f940b15c
SHA256630309ed6bfa62b8a7b4eb4820921fbd9952a845c8f5eef832d612c541200479
SHA5120d092d94b4eec3dbe475f540daf28cc92942095f790d08335cb7585b81deb01c51451100bd8b7f118bf97f21ca2f986d477c417bd36279dbd4ef346229c6f6ac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD55bf5d5ecb4624ee951f374bbf74b6a90
SHA126aea89c469da409bdfefc350a5384944f63404a
SHA25616d8793bf5f37749650c42a56692168cae2254039be36e6299fdb40f133a127f
SHA512f73519e0b6cc46d559d2cde50201e1b96d8e6d7ca02fb215264b033531ef7756bf6dfac3baad7fbe0f7b3fa0e92975e00a98e0692eca19f26d02f6aa1cf82c7b
-
memory/2336-30-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB
-
memory/2336-0-0x00000000012E0000-0x00000000013B4000-memory.dmpFilesize
848KB
-
memory/2336-2-0x0000000001250000-0x0000000001290000-memory.dmpFilesize
256KB
-
memory/2336-3-0x0000000000880000-0x0000000000898000-memory.dmpFilesize
96KB
-
memory/2336-4-0x00000000008B0000-0x00000000008BE000-memory.dmpFilesize
56KB
-
memory/2336-5-0x00000000008C0000-0x00000000008D4000-memory.dmpFilesize
80KB
-
memory/2336-6-0x000000000A1D0000-0x000000000A254000-memory.dmpFilesize
528KB
-
memory/2336-1-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB
-
memory/2336-42-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB
-
memory/2572-22-0x0000000002EC0000-0x0000000002F00000-memory.dmpFilesize
256KB
-
memory/2572-46-0x000000006EE80000-0x000000006F42B000-memory.dmpFilesize
5.7MB
-
memory/2572-24-0x000000006EE80000-0x000000006F42B000-memory.dmpFilesize
5.7MB
-
memory/2572-20-0x000000006EE80000-0x000000006F42B000-memory.dmpFilesize
5.7MB
-
memory/2620-25-0x0000000002AA0000-0x0000000002AE0000-memory.dmpFilesize
256KB
-
memory/2620-26-0x0000000002AA0000-0x0000000002AE0000-memory.dmpFilesize
256KB
-
memory/2620-45-0x000000006EE80000-0x000000006F42B000-memory.dmpFilesize
5.7MB
-
memory/2620-28-0x000000006EE80000-0x000000006F42B000-memory.dmpFilesize
5.7MB
-
memory/2620-19-0x000000006EE80000-0x000000006F42B000-memory.dmpFilesize
5.7MB
-
memory/3056-33-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3056-43-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB
-
memory/3056-39-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3056-31-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3056-41-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3056-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3056-44-0x0000000004C90000-0x0000000004CD0000-memory.dmpFilesize
256KB
-
memory/3056-37-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3056-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3056-27-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3056-48-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB
-
memory/3056-49-0x0000000004C90000-0x0000000004CD0000-memory.dmpFilesize
256KB