Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
THA-02187.pdf.exe
Resource
win7-20231129-en
General
-
Target
THA-02187.pdf.exe
-
Size
690KB
-
MD5
ecfbc6343e85f36fda76a7b66a342475
-
SHA1
59dd4a689d6e5fd4d07cc780a88d0b4902f369ee
-
SHA256
3012b1cdc6d41423e99d57dac314df023f3e993fd42ee66f09553827ff616c79
-
SHA512
2f635e264db29bdd871af05742e2695f65bc2fbad76e6736cccbed7495b1a9d5e81766a7fcd7844ec66898065a3f80d1130d48df3a3d27d3f99cc9baf19b4e2f
-
SSDEEP
12288:EHm21680skSKSIwz4lvmi3vcso51aAO/CDebcxz/2R6iouQNvyKhkfZC614IpBK:EHp1680JSNIG4lvHcso515bN/2T45hwx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
)otE@Kl4 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2304 powershell.exe 2608 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2548 set thread context of 2736 2548 THA-02187.pdf.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2672 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2548 THA-02187.pdf.exe 2548 THA-02187.pdf.exe 2736 RegSvcs.exe 2736 RegSvcs.exe 2608 powershell.exe 2304 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2548 THA-02187.pdf.exe Token: SeDebugPrivilege 2736 RegSvcs.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2304 2548 THA-02187.pdf.exe 28 PID 2548 wrote to memory of 2304 2548 THA-02187.pdf.exe 28 PID 2548 wrote to memory of 2304 2548 THA-02187.pdf.exe 28 PID 2548 wrote to memory of 2304 2548 THA-02187.pdf.exe 28 PID 2548 wrote to memory of 2608 2548 THA-02187.pdf.exe 30 PID 2548 wrote to memory of 2608 2548 THA-02187.pdf.exe 30 PID 2548 wrote to memory of 2608 2548 THA-02187.pdf.exe 30 PID 2548 wrote to memory of 2608 2548 THA-02187.pdf.exe 30 PID 2548 wrote to memory of 2672 2548 THA-02187.pdf.exe 31 PID 2548 wrote to memory of 2672 2548 THA-02187.pdf.exe 31 PID 2548 wrote to memory of 2672 2548 THA-02187.pdf.exe 31 PID 2548 wrote to memory of 2672 2548 THA-02187.pdf.exe 31 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34 PID 2548 wrote to memory of 2736 2548 THA-02187.pdf.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\THA-02187.pdf.exe"C:\Users\Admin\AppData\Local\Temp\THA-02187.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\THA-02187.pdf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WfOTdjb.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WfOTdjb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3285.tmp"2⤵
- Creates scheduled task(s)
PID:2672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e8a34fed9a8cdb9b0c11d9975c686d82
SHA1fb4711d9625038666a1be95fc2047773bd104143
SHA2568d89eabdc55aa4b833bf23c6a616a85b9131278da29a6d83ed2b27ea004351d2
SHA512fcb2049836d6dea2bd5b125804e8392bac2ba004f84a8ef8c35bd615af108a65d2d7703198a648a440c4ae4a4abc4ab28cfad102a676befdd141014f61000e72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7HFSGW1P3C19FMESEDD4.temp
Filesize7KB
MD578af3412a1f2295ce4f7bf351773fc26
SHA190802a778e2eda729c88300deb035ac45734e8bf
SHA256fff8639a7b1cc929d771876120a5322b28be7906077dec7758a5b8a9ac739874
SHA51296a17f0351701b7533e4d9cc44b3b3c58314d3fa63b27c98be671dbe13834d55593998cc1d45a355fcd7fd03c4829fffabe0ef256f476a781b0d3d5d5ed37046