Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
ATA2409385.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ATA2409385.exe
Resource
win10v2004-20240426-en
General
-
Target
ATA2409385.exe
-
Size
717KB
-
MD5
e8835b7ee85bf5c1770398de1a14c211
-
SHA1
5e5e3ff999c410362ae2571a921dd229cf0fa414
-
SHA256
09a3694a94074c3c3c29f6a7c03b74a8f87b79635958b820bcaed112afe0cea9
-
SHA512
f768d617246e6c71a2f94944443ac8fbfa11b8f330548b94d6825e54e27f60dad2283c7d544b014d22704cf989bb898cf54eeae762e366ae9ec621a1219d77d0
-
SSDEEP
12288:qHo2iN3skSKSIw6KZo/bzjtw79gALqXrw8BdOzb4+g9aZXqxoosdzDslRTPuMjjy:qI19JSNIH2Oza79gzw8fOzc+gEXquosN
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.shaktiinstrumentations.in - Port:
587 - Username:
[email protected] - Password:
Shakti54231!@#$%#@! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3052 powershell.exe 2616 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2168 set thread context of 2448 2168 ATA2409385.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2600 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2168 ATA2409385.exe 2168 ATA2409385.exe 2168 ATA2409385.exe 2168 ATA2409385.exe 2168 ATA2409385.exe 2168 ATA2409385.exe 2168 ATA2409385.exe 2168 ATA2409385.exe 2168 ATA2409385.exe 2448 RegSvcs.exe 2448 RegSvcs.exe 3052 powershell.exe 2616 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2168 ATA2409385.exe Token: SeDebugPrivilege 2448 RegSvcs.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2168 wrote to memory of 3052 2168 ATA2409385.exe 28 PID 2168 wrote to memory of 3052 2168 ATA2409385.exe 28 PID 2168 wrote to memory of 3052 2168 ATA2409385.exe 28 PID 2168 wrote to memory of 3052 2168 ATA2409385.exe 28 PID 2168 wrote to memory of 2616 2168 ATA2409385.exe 30 PID 2168 wrote to memory of 2616 2168 ATA2409385.exe 30 PID 2168 wrote to memory of 2616 2168 ATA2409385.exe 30 PID 2168 wrote to memory of 2616 2168 ATA2409385.exe 30 PID 2168 wrote to memory of 2600 2168 ATA2409385.exe 32 PID 2168 wrote to memory of 2600 2168 ATA2409385.exe 32 PID 2168 wrote to memory of 2600 2168 ATA2409385.exe 32 PID 2168 wrote to memory of 2600 2168 ATA2409385.exe 32 PID 2168 wrote to memory of 2676 2168 ATA2409385.exe 34 PID 2168 wrote to memory of 2676 2168 ATA2409385.exe 34 PID 2168 wrote to memory of 2676 2168 ATA2409385.exe 34 PID 2168 wrote to memory of 2676 2168 ATA2409385.exe 34 PID 2168 wrote to memory of 2676 2168 ATA2409385.exe 34 PID 2168 wrote to memory of 2676 2168 ATA2409385.exe 34 PID 2168 wrote to memory of 2676 2168 ATA2409385.exe 34 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35 PID 2168 wrote to memory of 2448 2168 ATA2409385.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\ATA2409385.exe"C:\Users\Admin\AppData\Local\Temp\ATA2409385.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ATA2409385.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YASWWeFBvhTn.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YASWWeFBvhTn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B8F.tmp"2⤵
- Creates scheduled task(s)
PID:2600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56dbeff4382cbc1a9da0ce92c642bc967
SHA1edd72b64b0ff22e12152cd7b3b87b5cbf69c7fed
SHA2562ac67dbcf70c13c5269f7b125cd6386d025215db6e94fe663afc2bf120dfbaee
SHA51205d3ee2c2ed21116ab7d965eb9ad17673510c746114ce5a6d9d194743af02675485b6d83c5431184e64e077b55905e5eeb92e2ce66fe3bf202fda2e85fc2aea8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51f26493a49877505c55308d602863b59
SHA1e909d8debba4a0242384377e2196888d9b0616eb
SHA256779aad2c3da3c1d08e640d7f4b162e87e9d4ad4022754dbd55d0f3289a5aedd5
SHA5123d230e4faa2bae503a30714b7e9cb57ec207d3597212b42a4f0f850cfb502ac39a4d6921a124b2aedb135bcc4a786af617c4cbe59357ae1f80b9e61de3a2205b