Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 00:31
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.32701.20065.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Heur.32701.20065.exe
Resource
win10v2004-20240426-en
General
-
Target
SecuriteInfo.com.Heur.32701.20065.exe
-
Size
783KB
-
MD5
f17de52fcf8876fe0f7dfe27938821ad
-
SHA1
643627151448795c6d296cc2c9c5be59937da4d9
-
SHA256
98b85ee0663117740bdac3c6af9fd2c637206f83be0978b865bc9cce1cc2eb51
-
SHA512
a6a3266955c430eff1a78612de56b4442d2818ec4363f8efd91a44c7dbbcf94a6d3731d47959496c05851c306e223f6826ab140ec373cd1e0ee5f052dcb1bce0
-
SSDEEP
24576:QlPmicd0uitF0I/tI6WHft8xjmq5c30l:QluicdaWHl8xy/k
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.starmech.net - Port:
587 - Username:
[email protected] - Password:
nics123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Heur.32701.20065.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\BjTxJte = "C:\\Users\\Admin\\AppData\\Roaming\\BjTxJte\\BjTxJte.exe" SecuriteInfo.com.Heur.32701.20065.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Heur.32701.20065.exedescription pid process target process PID 2192 set thread context of 2428 2192 SecuriteInfo.com.Heur.32701.20065.exe SecuriteInfo.com.Heur.32701.20065.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.Heur.32701.20065.exepowershell.exepowershell.exepid process 2428 SecuriteInfo.com.Heur.32701.20065.exe 2428 SecuriteInfo.com.Heur.32701.20065.exe 2644 powershell.exe 2528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Heur.32701.20065.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2428 SecuriteInfo.com.Heur.32701.20065.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.Heur.32701.20065.exepid process 2428 SecuriteInfo.com.Heur.32701.20065.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.Heur.32701.20065.exedescription pid process target process PID 2192 wrote to memory of 2528 2192 SecuriteInfo.com.Heur.32701.20065.exe powershell.exe PID 2192 wrote to memory of 2528 2192 SecuriteInfo.com.Heur.32701.20065.exe powershell.exe PID 2192 wrote to memory of 2528 2192 SecuriteInfo.com.Heur.32701.20065.exe powershell.exe PID 2192 wrote to memory of 2528 2192 SecuriteInfo.com.Heur.32701.20065.exe powershell.exe PID 2192 wrote to memory of 2644 2192 SecuriteInfo.com.Heur.32701.20065.exe powershell.exe PID 2192 wrote to memory of 2644 2192 SecuriteInfo.com.Heur.32701.20065.exe powershell.exe PID 2192 wrote to memory of 2644 2192 SecuriteInfo.com.Heur.32701.20065.exe powershell.exe PID 2192 wrote to memory of 2644 2192 SecuriteInfo.com.Heur.32701.20065.exe powershell.exe PID 2192 wrote to memory of 2584 2192 SecuriteInfo.com.Heur.32701.20065.exe schtasks.exe PID 2192 wrote to memory of 2584 2192 SecuriteInfo.com.Heur.32701.20065.exe schtasks.exe PID 2192 wrote to memory of 2584 2192 SecuriteInfo.com.Heur.32701.20065.exe schtasks.exe PID 2192 wrote to memory of 2584 2192 SecuriteInfo.com.Heur.32701.20065.exe schtasks.exe PID 2192 wrote to memory of 2428 2192 SecuriteInfo.com.Heur.32701.20065.exe SecuriteInfo.com.Heur.32701.20065.exe PID 2192 wrote to memory of 2428 2192 SecuriteInfo.com.Heur.32701.20065.exe SecuriteInfo.com.Heur.32701.20065.exe PID 2192 wrote to memory of 2428 2192 SecuriteInfo.com.Heur.32701.20065.exe SecuriteInfo.com.Heur.32701.20065.exe PID 2192 wrote to memory of 2428 2192 SecuriteInfo.com.Heur.32701.20065.exe SecuriteInfo.com.Heur.32701.20065.exe PID 2192 wrote to memory of 2428 2192 SecuriteInfo.com.Heur.32701.20065.exe SecuriteInfo.com.Heur.32701.20065.exe PID 2192 wrote to memory of 2428 2192 SecuriteInfo.com.Heur.32701.20065.exe SecuriteInfo.com.Heur.32701.20065.exe PID 2192 wrote to memory of 2428 2192 SecuriteInfo.com.Heur.32701.20065.exe SecuriteInfo.com.Heur.32701.20065.exe PID 2192 wrote to memory of 2428 2192 SecuriteInfo.com.Heur.32701.20065.exe SecuriteInfo.com.Heur.32701.20065.exe PID 2192 wrote to memory of 2428 2192 SecuriteInfo.com.Heur.32701.20065.exe SecuriteInfo.com.Heur.32701.20065.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.32701.20065.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.32701.20065.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.32701.20065.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tNRjyjsAFX.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tNRjyjsAFX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp405A.tmp"2⤵
- Creates scheduled task(s)
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.32701.20065.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.32701.20065.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2428
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp405A.tmpFilesize
1KB
MD52de9eaa8754d456896f3515dae42bf1b
SHA19d7d3fd0fdbc085a59ec9b29a39ee36760a1f9d2
SHA25625df73625d6c07b7f3425717a582aaa6bb9457fe1efd23ed24a3eabaa011591d
SHA512af532107fc67304179a27d193ae67ad4b13515fe2d32b0aca4cba8fd7dbaaf3a3b676ba3648deb9196c115d1270f1047762b81ece84539e01249f9d3364006b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5e2de0a3219abc0da417bb212d0ab2635
SHA18cd51f368952e6799ab080811e596332dbcd2f87
SHA256e754cab5eb2b385493e2419b9de65dfc96f56e6531fd6bd7fb0ed8cdb2615c6f
SHA512553afde4619308ab606b21a6e9c7140b0f2de8e3ef01a5fe964579c2bd6e78fa0fc478c10168adcda5336e61ccb561ca8fdf4d78d425d830e1fbaebeaf0b27ed
-
memory/2192-4-0x0000000000580000-0x000000000058E000-memory.dmpFilesize
56KB
-
memory/2192-31-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/2192-0-0x0000000000840000-0x000000000090A000-memory.dmpFilesize
808KB
-
memory/2192-5-0x0000000000690000-0x00000000006A6000-memory.dmpFilesize
88KB
-
memory/2192-6-0x0000000004F00000-0x0000000004F84000-memory.dmpFilesize
528KB
-
memory/2192-2-0x00000000044C0000-0x0000000004500000-memory.dmpFilesize
256KB
-
memory/2192-1-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/2192-3-0x0000000000780000-0x0000000000798000-memory.dmpFilesize
96KB
-
memory/2428-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2428-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB