Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 11:00
Static task
static1
Behavioral task
behavioral1
Sample
FILE....bat.exe
Resource
win7-20240221-en
General
-
Target
FILE....bat.exe
-
Size
702KB
-
MD5
d8255eb607db6d8f72c2d00f189fa91e
-
SHA1
ac959d228d425713d614e09906c969464fc1ca79
-
SHA256
176d7732afe006497070888796728dca5773c1798b4aa603676829b956dad57e
-
SHA512
b9f58c0c4391954ba5c01d5b23c4effac9e9240b25ffa1b3f15de196f895c8a62c12385ded7b8838af6a9c45e7cae582e143f7a468e0daf4323513e20f2c28ac
-
SSDEEP
12288:BxhbIc9r8+HfmI+aFNco0sTYUEB7JyhxkN+sfWPk4Qud/YMjhvPie/rByY77777k:BxhXrhfl+sOo0sMjB7JyhxO+Ds4QuRYB
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.greentechme.com - Port:
587 - Username:
[email protected] - Password:
Greentech@786 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2780 powershell.exe 2580 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1548 set thread context of 592 1548 FILE....bat.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2808 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1548 FILE....bat.exe 1548 FILE....bat.exe 1548 FILE....bat.exe 1548 FILE....bat.exe 1548 FILE....bat.exe 1548 FILE....bat.exe 1548 FILE....bat.exe 592 RegSvcs.exe 592 RegSvcs.exe 2780 powershell.exe 2580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1548 FILE....bat.exe Token: SeDebugPrivilege 592 RegSvcs.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1548 wrote to memory of 2780 1548 FILE....bat.exe 28 PID 1548 wrote to memory of 2780 1548 FILE....bat.exe 28 PID 1548 wrote to memory of 2780 1548 FILE....bat.exe 28 PID 1548 wrote to memory of 2780 1548 FILE....bat.exe 28 PID 1548 wrote to memory of 2580 1548 FILE....bat.exe 30 PID 1548 wrote to memory of 2580 1548 FILE....bat.exe 30 PID 1548 wrote to memory of 2580 1548 FILE....bat.exe 30 PID 1548 wrote to memory of 2580 1548 FILE....bat.exe 30 PID 1548 wrote to memory of 2808 1548 FILE....bat.exe 32 PID 1548 wrote to memory of 2808 1548 FILE....bat.exe 32 PID 1548 wrote to memory of 2808 1548 FILE....bat.exe 32 PID 1548 wrote to memory of 2808 1548 FILE....bat.exe 32 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34 PID 1548 wrote to memory of 592 1548 FILE....bat.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\FILE....bat.exe"C:\Users\Admin\AppData\Local\Temp\FILE....bat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FILE....bat.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UtuyXvTGwdN.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UtuyXvTGwdN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE2F.tmp"2⤵
- Creates scheduled task(s)
PID:2808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5045566187d8824566444092db559a983
SHA127c5088664ce3fce27582e2bc984e56901c49e02
SHA2569e6c19ccdda52bab22f46a46657d530be3e4147631c8dcb54c7baaf27a991795
SHA512e7ceda8c7fcf1ef6c744e07389e357e777fbe5cb2242dafa9ce87b2e8c035258760ee48eb09d053301e92efca9bd67282d583ea36ae8127478a9d3d8a27fa23f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5aef0021b43caf1b9de033cbf8a776a9f
SHA1fe6ba0c3ca30cd8db3f124dcc18612bb6207293d
SHA2568cb558b35d5e1bc03999554fa141790ddd6b170ec52826d6173f004103fdcfc9
SHA512dc95c44de49118e6a2385d66511292d04063111aa8a819a467475a2ff3eb253ce9bb876449b3d0588bf440307eb9390b654d41af6f5c8fa52e50241371230ed7