Overview

overview

10

Static

static

1

payment co...on.exe

windows7-x64

10

payment co...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-05-2024 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment confirmation.exe

  • Size

    807KB

  • MD5

    fea84a2a79e39deb22b64d9431263fa4

  • SHA1

    b233547650120b9b0d4327b355fff6d198c88aae

  • SHA256

    41dc02abba1fa20676b50eeb403f735dff2eb2a2223fa1469a4a5f7d470f77b7

  • SHA512

    1dd6a150a9332f7e206c8556642b81678dbf1cd4ba3690daed9b5c1e362eafe73450a9aa2119d754185cf7ae7cb32aded37324f5d846463d8decc5b0b9fd9ed5

  • SSDEEP

    24576:orA4MtlrmVpJEABpkkUTib2K96C8fnl4c7g7NOctO1P:CCtmpJEH/TjQAvl4l9ON

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payment confirmation.exe
    "C:\Users\Admin\AppData\Local\Temp\payment confirmation.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment confirmation.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cEEcVQhGzlKTOd.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cEEcVQhGzlKTOd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF97.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2560
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpBF97.tmp
    Filesize

    1KB

    MD5

    527bf8e9b0d161726d8a0a0b54ad3a4b

    SHA1

    ce53cd8fdf4092caceb569dcfd10df70832cdad5

    SHA256

    5fb6147282e9ca3cd0a88d9f242fb894f7b8d68698bd84bbdf3a8d804213c623

    SHA512

    f6648a9ebfc6033df0a44a832ee50a532d0cd74b060ed16df2dc249e79c7725d6534f99a700eb0f450c8636eccd88163727777dbeb695a25310748b6e306c140

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XXTUWZONF4JLD97RRBKA.temp
    Filesize

    7KB

    MD5

    0b82a0b909bae145feddcccd90b4866d

    SHA1

    163493fbeecf7a87871d5e7fcb80b69058e30674

    SHA256

    74e35089a33fcc2654b46428cbe32ad9e3309ba54e48e5038c0ae9e69039392a

    SHA512

    fe003dd2fb02a360ccf4ed98810896a3a59d24b742ce77406dbd6931474710dcbf7a772333868a6e57dde9c6dc4788fe44ba5f257c139c01a743a5967dcc428f

    Download Submit

  • memory/2208-4-0x0000000000500000-0x0000000000516000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2208-32-0x0000000074330000-0x0000000074A1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2208-0-0x0000000000F20000-0x0000000000FEC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2208-5-0x0000000004A40000-0x0000000004AC2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2208-6-0x0000000074330000-0x0000000074A1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2208-2-0x0000000000B40000-0x0000000000B80000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2208-1-0x0000000074330000-0x0000000074A1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2208-3-0x00000000004D0000-0x00000000004E6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2400-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2400-31-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2400-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2400-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2400-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2400-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2400-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2400-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download