Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 11:09

General

  • Target

    ATA2409385.exe

  • Size

    717KB

  • MD5

    e8835b7ee85bf5c1770398de1a14c211

  • SHA1

    5e5e3ff999c410362ae2571a921dd229cf0fa414

  • SHA256

    09a3694a94074c3c3c29f6a7c03b74a8f87b79635958b820bcaed112afe0cea9

  • SHA512

    f768d617246e6c71a2f94944443ac8fbfa11b8f330548b94d6825e54e27f60dad2283c7d544b014d22704cf989bb898cf54eeae762e366ae9ec621a1219d77d0

  • SSDEEP

    12288:qHo2iN3skSKSIw6KZo/bzjtw79gALqXrw8BdOzb4+g9aZXqxoosdzDslRTPuMjjy:qI19JSNIH2Oza79gzw8fOzc+gEXquosN

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ATA2409385.exe
    "C:\Users\Admin\AppData\Local\Temp\ATA2409385.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ATA2409385.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YASWWeFBvhTn.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YASWWeFBvhTn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp696D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2700
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2448

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp696D.tmp

          Filesize

          1KB

          MD5

          d79eb34e4fe699ead9f262b739c84402

          SHA1

          b7277ea9d73c26ce8561cba26e079aa7d887e201

          SHA256

          c67f3d281450ad7f5a313d0ea74072669f00ad4195a584dfed36611cbf8dbe5f

          SHA512

          8cc9c8c3c9632c7e09571c7cc49f983438a332062c95b5eb549595160d8bfe28f802055cc700d2409762737776359c93dd9bf5bd090fee4c6b3bd52a85221ad1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2U3VRH35SSDX4VIQ0R1Z.temp

          Filesize

          7KB

          MD5

          6eb90ab4d542173b45cc4de6b2df243b

          SHA1

          23db9b432e3d3ab5f9ec9e1e032225f94b049229

          SHA256

          b326d2ef7212b0b9dc76480d46b06dde1d69c55f5061ece0e76138c251b05656

          SHA512

          30d5d9813b35f7d4c50fd5ec89e2ec4752d940b36cb87516e66a527424c5600df96899aaa6ff804d1175aa26d4bb6fe6e954d9c1a0159750a027e21a63a1fa0a

        • memory/2288-31-0x0000000074430000-0x0000000074B1E000-memory.dmp

          Filesize

          6.9MB

        • memory/2288-1-0x0000000001310000-0x00000000013C6000-memory.dmp

          Filesize

          728KB

        • memory/2288-2-0x0000000074430000-0x0000000074B1E000-memory.dmp

          Filesize

          6.9MB

        • memory/2288-3-0x00000000007E0000-0x00000000007FE000-memory.dmp

          Filesize

          120KB

        • memory/2288-4-0x0000000000560000-0x0000000000570000-memory.dmp

          Filesize

          64KB

        • memory/2288-5-0x0000000005250000-0x00000000052D4000-memory.dmp

          Filesize

          528KB

        • memory/2288-0-0x000000007443E000-0x000000007443F000-memory.dmp

          Filesize

          4KB

        • memory/2448-27-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2448-30-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2448-28-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2448-22-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2448-20-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2448-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2448-18-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2448-24-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB