Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
CREDIT NOTES.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
CREDIT NOTES.exe
Resource
win10v2004-20240419-en
General
-
Target
CREDIT NOTES.exe
-
Size
949KB
-
MD5
a94578e1a694ba09dc9ed5dc7df60fcc
-
SHA1
8ea85a39e4e456e79db46abfe00f9be73c8e254e
-
SHA256
b06ef71a820a829fc010a3bc33b6c630282b94d831e25f972b7173f0783b76c9
-
SHA512
ab3277ca5e074100cc9323234ee257816261154bcd6da3b00c56a83b0f0923575649ec9c3272e5ac8da6bd4ae08f6757d7cd15147a15963d144b99be92a30565
-
SSDEEP
24576:8+17qWKvIj9RR5BGNn5BZj6ZNaJ312Zw471:t5AvIj9VB+j6naJl2iK1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.unitechautomations.com - Port:
587 - Username:
[email protected] - Password:
Unitech@123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2604-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2604-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2604-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2604-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2604-27-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2604-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2604-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2604-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2604-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2604-27-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2604-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2604-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2604-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2604-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2604-27-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2604-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2604-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2604-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2604-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2604-27-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2604-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2604-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2604-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2604-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2604-27-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2604-22-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2604-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2604-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2604-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2604-27-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUIVTme = "C:\\Users\\Admin\\AppData\\Roaming\\GUIVTme\\GUIVTme.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CREDIT NOTES.exedescription pid process target process PID 2952 set thread context of 2604 2952 CREDIT NOTES.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
CREDIT NOTES.exepowershell.exepowershell.exeRegSvcs.exepid process 2952 CREDIT NOTES.exe 2952 CREDIT NOTES.exe 2548 powershell.exe 2652 powershell.exe 2952 CREDIT NOTES.exe 2604 RegSvcs.exe 2604 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
CREDIT NOTES.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2952 CREDIT NOTES.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2604 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
CREDIT NOTES.exedescription pid process target process PID 2952 wrote to memory of 2548 2952 CREDIT NOTES.exe powershell.exe PID 2952 wrote to memory of 2548 2952 CREDIT NOTES.exe powershell.exe PID 2952 wrote to memory of 2548 2952 CREDIT NOTES.exe powershell.exe PID 2952 wrote to memory of 2548 2952 CREDIT NOTES.exe powershell.exe PID 2952 wrote to memory of 2652 2952 CREDIT NOTES.exe powershell.exe PID 2952 wrote to memory of 2652 2952 CREDIT NOTES.exe powershell.exe PID 2952 wrote to memory of 2652 2952 CREDIT NOTES.exe powershell.exe PID 2952 wrote to memory of 2652 2952 CREDIT NOTES.exe powershell.exe PID 2952 wrote to memory of 2596 2952 CREDIT NOTES.exe schtasks.exe PID 2952 wrote to memory of 2596 2952 CREDIT NOTES.exe schtasks.exe PID 2952 wrote to memory of 2596 2952 CREDIT NOTES.exe schtasks.exe PID 2952 wrote to memory of 2596 2952 CREDIT NOTES.exe schtasks.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe PID 2952 wrote to memory of 2604 2952 CREDIT NOTES.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CREDIT NOTES.exe"C:\Users\Admin\AppData\Local\Temp\CREDIT NOTES.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CREDIT NOTES.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XblPOAvPsrUQv.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XblPOAvPsrUQv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp45A8.tmp"2⤵
- Creates scheduled task(s)
PID:2596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp45A8.tmpFilesize
1KB
MD559fa255922bfd589b072817e9c09b865
SHA10b1961364cab04a8a419da93f01999c249e464ca
SHA256772807723a3c45c02a16ed189b3872dab1856790f8d3b57a0ce198ea8f95373b
SHA51246d8748e116c0fe4586769f0d888b4e86b54abe2bc4a935b28114e631c075875b2052fe610004b0bf068953b959aff1d0732f13bd78087ab27a211114896c7d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W2C7BGWJBQ1OO2AB7B9Z.tempFilesize
7KB
MD56c3d217f1acfee77f9c3ae758566473e
SHA189aba15a1740d6b217499a32ddd4166a20507564
SHA2565d1a68da6a0655e3433ceabff30368a60d8444776130902c4003feb568237126
SHA5127a2c737d4318da11c9bfea7584325b87b63d1b0ef9e54eeda84739ba2ced0a108a0bd4249dc979a7aa305ef355a25a50908a50e82580b205dad4db481ed7ea0f
-
memory/2604-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2604-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2604-27-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2604-20-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2604-24-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2604-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2604-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2604-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2952-2-0x0000000004E30000-0x0000000004E70000-memory.dmpFilesize
256KB
-
memory/2952-1-0x0000000074AA0000-0x000000007518E000-memory.dmpFilesize
6.9MB
-
memory/2952-0-0x0000000000AF0000-0x0000000000BE4000-memory.dmpFilesize
976KB
-
memory/2952-3-0x0000000000360000-0x0000000000380000-memory.dmpFilesize
128KB
-
memory/2952-5-0x0000000000A40000-0x0000000000AC2000-memory.dmpFilesize
520KB
-
memory/2952-4-0x0000000000380000-0x0000000000394000-memory.dmpFilesize
80KB
-
memory/2952-31-0x0000000074AA0000-0x000000007518E000-memory.dmpFilesize
6.9MB