Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 21:18
Static task
static1
Behavioral task
behavioral1
Sample
bank slip.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
bank slip.exe
Resource
win10v2004-20240419-en
General
-
Target
bank slip.exe
-
Size
645KB
-
MD5
94140263a36560bda39b02fffafce831
-
SHA1
33f2c75d6d50ba1acaadc92ae64803ecd3ff18ff
-
SHA256
fb422ed39cbabcab2449fde2224bfa281f4248e08014b4e3a60003842409d7a6
-
SHA512
2bf7708f475d4e663cea9c81a5198f1afa8f69d8088b84508d88bb25115beeaae116fb52a6c80c65e15be7f826c6616767afd30f27d19c076786edccefac381e
-
SSDEEP
12288:zuZk4K7sxuUrrN0I+9Vhbb2guOiAjDHIEf9/Q/3LhqvsqDfzltZWYblmeB778Qoo:JsxumrO7cgu4D5fxALhhqDLl9RmeBf
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vw-rmplcars.co.in - Port:
587 - Username:
[email protected] - Password:
Gagan#456 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUIVTme = "C:\\Users\\Admin\\AppData\\Roaming\\GUIVTme\\GUIVTme.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bank slip.exedescription pid process target process PID 2784 set thread context of 2472 2784 bank slip.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
bank slip.exepowershell.exepowershell.exeRegSvcs.exepid process 2784 bank slip.exe 2784 bank slip.exe 2784 bank slip.exe 2784 bank slip.exe 2784 bank slip.exe 2784 bank slip.exe 2736 powershell.exe 2244 powershell.exe 2784 bank slip.exe 2472 RegSvcs.exe 2472 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
bank slip.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2784 bank slip.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 2472 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
bank slip.exedescription pid process target process PID 2784 wrote to memory of 2244 2784 bank slip.exe powershell.exe PID 2784 wrote to memory of 2244 2784 bank slip.exe powershell.exe PID 2784 wrote to memory of 2244 2784 bank slip.exe powershell.exe PID 2784 wrote to memory of 2244 2784 bank slip.exe powershell.exe PID 2784 wrote to memory of 2736 2784 bank slip.exe powershell.exe PID 2784 wrote to memory of 2736 2784 bank slip.exe powershell.exe PID 2784 wrote to memory of 2736 2784 bank slip.exe powershell.exe PID 2784 wrote to memory of 2736 2784 bank slip.exe powershell.exe PID 2784 wrote to memory of 2612 2784 bank slip.exe schtasks.exe PID 2784 wrote to memory of 2612 2784 bank slip.exe schtasks.exe PID 2784 wrote to memory of 2612 2784 bank slip.exe schtasks.exe PID 2784 wrote to memory of 2612 2784 bank slip.exe schtasks.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe PID 2784 wrote to memory of 2472 2784 bank slip.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bank slip.exe"C:\Users\Admin\AppData\Local\Temp\bank slip.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bank slip.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rXxoYFse.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXxoYFse" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57C1.tmp"2⤵
- Creates scheduled task(s)
PID:2612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp57C1.tmpFilesize
1KB
MD5457411416a663e88c9cf5907fbd3c5ec
SHA1c43669719050b61b4de0700ab3c8003c93498c0f
SHA256507b49e716650f67727b5f71807355c2ee81a6273c24efb4362d7e8a262dd88f
SHA512141b080880229851bcd3ed08c71821276d756178c48e7c0d404a3d950bf2c8f77b3c9d1dd39923bf4ab417ced1806e4478f28a4c8ccaefdecf25b4f2f44b8974
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5c06161f1a32106b3124d7c546c30664c
SHA1a2a552cb0b2d44cc9dd6f1fc1c51c2ee32328eda
SHA256bd8cf0c550ed29b6cb16c5bd8330dd06de5fedd5ca7c320d9a2a8604f6862f48
SHA5127870df872ea28537669b52743eea769b6245c8da8d896b36d19ceb8866231ce46a6ea1108f2584747f43d4030916c0192f674c341fa111cfb084e1f1844d39f1
-
memory/2472-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2472-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2472-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2472-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2472-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2472-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2472-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2472-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2784-6-0x0000000004FD0000-0x0000000005054000-memory.dmpFilesize
528KB
-
memory/2784-1-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB
-
memory/2784-0-0x0000000000990000-0x0000000000A34000-memory.dmpFilesize
656KB
-
memory/2784-2-0x0000000004850000-0x0000000004890000-memory.dmpFilesize
256KB
-
memory/2784-3-0x00000000003D0000-0x00000000003E8000-memory.dmpFilesize
96KB
-
memory/2784-5-0x00000000003F0000-0x0000000000406000-memory.dmpFilesize
88KB
-
memory/2784-4-0x00000000003B0000-0x00000000003BE000-memory.dmpFilesize
56KB
-
memory/2784-31-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB