Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 17:20
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.25013.20090.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Heur.25013.20090.exe
Resource
win10v2004-20240419-en
General
-
Target
SecuriteInfo.com.Heur.25013.20090.exe
-
Size
631KB
-
MD5
26aa84b983564ccd62143b164ffa7f62
-
SHA1
df39b8d79ca797d9dc594f62d705682b4ec7d634
-
SHA256
3029eb76575a110e9bfeadcee488cb4db00d25da6d8529e48d49f2fee0770f80
-
SHA512
ebc73b0faeb5886ff5910fc69d93293de875098ffb66037508e70f1a8c922312952a5d8341aa856787e4ffa670fc01fb40b288c067dba4aaec5e7c886c74bcf6
-
SSDEEP
12288:mZMAvNlMfHJ2zJWfs+Pk8xVv5x9+AeVmxgU5hT3ETB778Qm:jAw2zJWfs+s8HjnXgWhUTB0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.starmech.net - Port:
587 - Username:
[email protected] - Password:
nics123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Heur.25013.20090.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\BjTxJte = "C:\\Users\\Admin\\AppData\\Roaming\\BjTxJte\\BjTxJte.exe" SecuriteInfo.com.Heur.25013.20090.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Heur.25013.20090.exedescription pid process target process PID 3036 set thread context of 2532 3036 SecuriteInfo.com.Heur.25013.20090.exe SecuriteInfo.com.Heur.25013.20090.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.Heur.25013.20090.exepowershell.exepowershell.exepid process 2532 SecuriteInfo.com.Heur.25013.20090.exe 2532 SecuriteInfo.com.Heur.25013.20090.exe 2540 powershell.exe 2692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Heur.25013.20090.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2532 SecuriteInfo.com.Heur.25013.20090.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.Heur.25013.20090.exepid process 2532 SecuriteInfo.com.Heur.25013.20090.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.Heur.25013.20090.exedescription pid process target process PID 3036 wrote to memory of 2540 3036 SecuriteInfo.com.Heur.25013.20090.exe powershell.exe PID 3036 wrote to memory of 2540 3036 SecuriteInfo.com.Heur.25013.20090.exe powershell.exe PID 3036 wrote to memory of 2540 3036 SecuriteInfo.com.Heur.25013.20090.exe powershell.exe PID 3036 wrote to memory of 2540 3036 SecuriteInfo.com.Heur.25013.20090.exe powershell.exe PID 3036 wrote to memory of 2692 3036 SecuriteInfo.com.Heur.25013.20090.exe powershell.exe PID 3036 wrote to memory of 2692 3036 SecuriteInfo.com.Heur.25013.20090.exe powershell.exe PID 3036 wrote to memory of 2692 3036 SecuriteInfo.com.Heur.25013.20090.exe powershell.exe PID 3036 wrote to memory of 2692 3036 SecuriteInfo.com.Heur.25013.20090.exe powershell.exe PID 3036 wrote to memory of 1952 3036 SecuriteInfo.com.Heur.25013.20090.exe schtasks.exe PID 3036 wrote to memory of 1952 3036 SecuriteInfo.com.Heur.25013.20090.exe schtasks.exe PID 3036 wrote to memory of 1952 3036 SecuriteInfo.com.Heur.25013.20090.exe schtasks.exe PID 3036 wrote to memory of 1952 3036 SecuriteInfo.com.Heur.25013.20090.exe schtasks.exe PID 3036 wrote to memory of 2532 3036 SecuriteInfo.com.Heur.25013.20090.exe SecuriteInfo.com.Heur.25013.20090.exe PID 3036 wrote to memory of 2532 3036 SecuriteInfo.com.Heur.25013.20090.exe SecuriteInfo.com.Heur.25013.20090.exe PID 3036 wrote to memory of 2532 3036 SecuriteInfo.com.Heur.25013.20090.exe SecuriteInfo.com.Heur.25013.20090.exe PID 3036 wrote to memory of 2532 3036 SecuriteInfo.com.Heur.25013.20090.exe SecuriteInfo.com.Heur.25013.20090.exe PID 3036 wrote to memory of 2532 3036 SecuriteInfo.com.Heur.25013.20090.exe SecuriteInfo.com.Heur.25013.20090.exe PID 3036 wrote to memory of 2532 3036 SecuriteInfo.com.Heur.25013.20090.exe SecuriteInfo.com.Heur.25013.20090.exe PID 3036 wrote to memory of 2532 3036 SecuriteInfo.com.Heur.25013.20090.exe SecuriteInfo.com.Heur.25013.20090.exe PID 3036 wrote to memory of 2532 3036 SecuriteInfo.com.Heur.25013.20090.exe SecuriteInfo.com.Heur.25013.20090.exe PID 3036 wrote to memory of 2532 3036 SecuriteInfo.com.Heur.25013.20090.exe SecuriteInfo.com.Heur.25013.20090.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25013.20090.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25013.20090.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25013.20090.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yNoWANrisVl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yNoWANrisVl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F2C.tmp"2⤵
- Creates scheduled task(s)
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25013.20090.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25013.20090.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2532
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9F2C.tmpFilesize
1KB
MD51c8f2f115ccfc56a0f2ea2011a3a141c
SHA126b92f820260aa582bf5bd638f0bd3a7eb684916
SHA256520413bf7871040793372e25fad85fced13e1d225bf4a3c08e631f21a1660113
SHA5120420f3d302bf7869ca7793fb5c51bec28589b22100a35d6eee474c3615d19966f4e64e1230d1cfd5689d6645316157197d53577e63a4b39c6b676788b0290363
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y7FV5ZFVWMK2LC76PPJ2.tempFilesize
7KB
MD5349bb9589c9b083dc87df92efb5e5715
SHA1511a9c74ea53bfbea526007315b2830c6b557f2c
SHA256be0199ae74011081631fa1e982ffd1fde6e6227611a9961ed41fa42b50851ff0
SHA5127064d6b4d7319134458aca249874fbdd8c3063fc4badec4608847e3ef19b72285f3edfe3f593d964dc83b670ed796963801a05da4f21c5015d74a84f427f48b9
-
memory/2532-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2532-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3036-6-0x0000000004CD0000-0x0000000004D54000-memory.dmpFilesize
528KB
-
memory/3036-1-0x0000000074940000-0x000000007502E000-memory.dmpFilesize
6.9MB
-
memory/3036-0-0x00000000001A0000-0x0000000000244000-memory.dmpFilesize
656KB
-
memory/3036-2-0x0000000004C90000-0x0000000004CD0000-memory.dmpFilesize
256KB
-
memory/3036-3-0x00000000004C0000-0x00000000004D8000-memory.dmpFilesize
96KB
-
memory/3036-5-0x0000000000530000-0x0000000000546000-memory.dmpFilesize
88KB
-
memory/3036-4-0x0000000000520000-0x000000000052E000-memory.dmpFilesize
56KB
-
memory/3036-31-0x0000000074940000-0x000000007502E000-memory.dmpFilesize
6.9MB