Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 09:27
Static task
static1
Behavioral task
behavioral1
Sample
tempe.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tempe.exe
Resource
win10v2004-20240226-en
General
-
Target
tempe.exe
-
Size
1.0MB
-
MD5
bebe5907e39cdbd2a097c0325f6b12ed
-
SHA1
8ebfa77700a40d7935e41c376c0f0962c62e1c5a
-
SHA256
c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d
-
SHA512
d107f99e99966d4f21e0ca363e80fe825cf3edc067eacf3eda68e1d8df846168809497d57336210070ddc68d9e4eb375f0d0f03bf7670e5cdf35817afd2d701c
-
SSDEEP
24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaNdYpcqO6p5:ph+ZkldoPK8YaNCOo
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe" RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tempe.exedescription pid process target process PID 3152 set thread context of 636 3152 tempe.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 636 RegSvcs.exe 636 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
tempe.exepid process 3152 tempe.exe 3152 tempe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 636 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
tempe.exepid process 3152 tempe.exe 3152 tempe.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
tempe.exepid process 3152 tempe.exe 3152 tempe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
tempe.exedescription pid process target process PID 3152 wrote to memory of 636 3152 tempe.exe RegSvcs.exe PID 3152 wrote to memory of 636 3152 tempe.exe RegSvcs.exe PID 3152 wrote to memory of 636 3152 tempe.exe RegSvcs.exe PID 3152 wrote to memory of 636 3152 tempe.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tempe.exe"C:\Users\Admin\AppData\Local\Temp\tempe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\tempe.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-11-0x0000000000730000-0x0000000000772000-memory.dmpFilesize
264KB
-
memory/636-12-0x00000000750A0000-0x0000000075850000-memory.dmpFilesize
7.7MB
-
memory/636-13-0x0000000005390000-0x0000000005934000-memory.dmpFilesize
5.6MB
-
memory/636-14-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/636-15-0x0000000004EE0000-0x0000000004F46000-memory.dmpFilesize
408KB
-
memory/636-17-0x0000000006070000-0x00000000060C0000-memory.dmpFilesize
320KB
-
memory/636-18-0x0000000006160000-0x00000000061F2000-memory.dmpFilesize
584KB
-
memory/636-19-0x00000000060F0000-0x00000000060FA000-memory.dmpFilesize
40KB
-
memory/636-20-0x00000000750A0000-0x0000000075850000-memory.dmpFilesize
7.7MB
-
memory/636-21-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/3152-10-0x0000000001280000-0x0000000001284000-memory.dmpFilesize
16KB