Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 09:27
Static task
static1
Behavioral task
behavioral1
Sample
tempe.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tempe.exe
Resource
win10v2004-20240226-en
General
-
Target
tempe.exe
-
Size
1.0MB
-
MD5
bebe5907e39cdbd2a097c0325f6b12ed
-
SHA1
8ebfa77700a40d7935e41c376c0f0962c62e1c5a
-
SHA256
c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d
-
SHA512
d107f99e99966d4f21e0ca363e80fe825cf3edc067eacf3eda68e1d8df846168809497d57336210070ddc68d9e4eb375f0d0f03bf7670e5cdf35817afd2d701c
-
SSDEEP
24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaNdYpcqO6p5:ph+ZkldoPK8YaNCOo
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe" RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tempe.exedescription pid process target process PID 2188 set thread context of 2508 2188 tempe.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2572 2188 WerFault.exe tempe.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2508 RegSvcs.exe 2508 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
tempe.exepid process 2188 tempe.exe 2188 tempe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2508 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
tempe.exepid process 2188 tempe.exe 2188 tempe.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
tempe.exepid process 2188 tempe.exe 2188 tempe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tempe.exedescription pid process target process PID 2188 wrote to memory of 2508 2188 tempe.exe RegSvcs.exe PID 2188 wrote to memory of 2508 2188 tempe.exe RegSvcs.exe PID 2188 wrote to memory of 2508 2188 tempe.exe RegSvcs.exe PID 2188 wrote to memory of 2508 2188 tempe.exe RegSvcs.exe PID 2188 wrote to memory of 2508 2188 tempe.exe RegSvcs.exe PID 2188 wrote to memory of 2508 2188 tempe.exe RegSvcs.exe PID 2188 wrote to memory of 2508 2188 tempe.exe RegSvcs.exe PID 2188 wrote to memory of 2508 2188 tempe.exe RegSvcs.exe PID 2188 wrote to memory of 2572 2188 tempe.exe WerFault.exe PID 2188 wrote to memory of 2572 2188 tempe.exe WerFault.exe PID 2188 wrote to memory of 2572 2188 tempe.exe WerFault.exe PID 2188 wrote to memory of 2572 2188 tempe.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tempe.exe"C:\Users\Admin\AppData\Local\Temp\tempe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\tempe.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 3162⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2188-10-0x0000000000270000-0x0000000000274000-memory.dmpFilesize
16KB
-
memory/2508-11-0x0000000000090000-0x00000000000D2000-memory.dmpFilesize
264KB
-
memory/2508-13-0x0000000000090000-0x00000000000D2000-memory.dmpFilesize
264KB
-
memory/2508-17-0x0000000000090000-0x00000000000D2000-memory.dmpFilesize
264KB
-
memory/2508-20-0x0000000000090000-0x00000000000D2000-memory.dmpFilesize
264KB
-
memory/2508-21-0x00000000740D0000-0x00000000747BE000-memory.dmpFilesize
6.9MB
-
memory/2508-22-0x00000000010B0000-0x00000000010F0000-memory.dmpFilesize
256KB
-
memory/2508-24-0x00000000740D0000-0x00000000747BE000-memory.dmpFilesize
6.9MB
-
memory/2508-25-0x00000000010B0000-0x00000000010F0000-memory.dmpFilesize
256KB