Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 11:08
Static task
static1
Behavioral task
behavioral1
Sample
New order from CoreSystem Technology Limited.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
New order from CoreSystem Technology Limited.exe
Resource
win10v2004-20240508-en
General
-
Target
New order from CoreSystem Technology Limited.exe
-
Size
774KB
-
MD5
bea4d8667895e1b7583db6681f4015c2
-
SHA1
539e45783a3646fa32c5ad256fda8e7d7decf69d
-
SHA256
ad9fd8dbec8d71d3ef7b1ae8b2882b986b1f6b0a9de791d0693ebf551ada676a
-
SHA512
70250c94f648819de84a9a7634232fa8e5841e1331b649b1771eb5fc20dc90014a35757d90e4534f4c41ee4df3e9cc239ffcb598dd1f8ac2a66bcc643a4efa0c
-
SSDEEP
12288:zI8WET/mr9K+22BEEzFatnomOODVpgOVTp4YjzXGRLHVHpt+eQ2wREzItcYcegm9:5Wtb3BEuYFTp4WIL1HJLmEUtU/myA
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2876 powershell.exe 2600 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3028 set thread context of 2508 3028 New order from CoreSystem Technology Limited.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2864 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3028 New order from CoreSystem Technology Limited.exe 3028 New order from CoreSystem Technology Limited.exe 3028 New order from CoreSystem Technology Limited.exe 3028 New order from CoreSystem Technology Limited.exe 3028 New order from CoreSystem Technology Limited.exe 3028 New order from CoreSystem Technology Limited.exe 3028 New order from CoreSystem Technology Limited.exe 2508 RegSvcs.exe 2508 RegSvcs.exe 2600 powershell.exe 2876 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3028 New order from CoreSystem Technology Limited.exe Token: SeDebugPrivilege 2508 RegSvcs.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2600 3028 New order from CoreSystem Technology Limited.exe 28 PID 3028 wrote to memory of 2600 3028 New order from CoreSystem Technology Limited.exe 28 PID 3028 wrote to memory of 2600 3028 New order from CoreSystem Technology Limited.exe 28 PID 3028 wrote to memory of 2600 3028 New order from CoreSystem Technology Limited.exe 28 PID 3028 wrote to memory of 2876 3028 New order from CoreSystem Technology Limited.exe 30 PID 3028 wrote to memory of 2876 3028 New order from CoreSystem Technology Limited.exe 30 PID 3028 wrote to memory of 2876 3028 New order from CoreSystem Technology Limited.exe 30 PID 3028 wrote to memory of 2876 3028 New order from CoreSystem Technology Limited.exe 30 PID 3028 wrote to memory of 2864 3028 New order from CoreSystem Technology Limited.exe 32 PID 3028 wrote to memory of 2864 3028 New order from CoreSystem Technology Limited.exe 32 PID 3028 wrote to memory of 2864 3028 New order from CoreSystem Technology Limited.exe 32 PID 3028 wrote to memory of 2864 3028 New order from CoreSystem Technology Limited.exe 32 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34 PID 3028 wrote to memory of 2508 3028 New order from CoreSystem Technology Limited.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\New order from CoreSystem Technology Limited.exe"C:\Users\Admin\AppData\Local\Temp\New order from CoreSystem Technology Limited.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New order from CoreSystem Technology Limited.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BPwwHhZJvK.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BPwwHhZJvK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67E7.tmp"2⤵
- Creates scheduled task(s)
PID:2864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a4386fb6ae441135599089847116266
SHA132905ca0b72a746d1c8270d6b05b65f80bf07dfb
SHA256e110284821ba96690ae89429f886dc78cfea3d7ec3503a643c73f6ff6b01850f
SHA5120714177850bfe297b4bbb8fe746d58685de4f991c6c2a21c8590ea2ef05e6b1d2177563b16acbf262fe76369699ef4ab8d682412ecc9ea7ff93846f484e78361
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SM7EP8YWHY9ATIE0S2RM.temp
Filesize7KB
MD50ee1010758dc0b8be205149d2003fe40
SHA12edaccb8a4a6edb544b483cbf544cfb77a8b8cfc
SHA2569518fbccbd2978ec2aa05ac2055669082cff93e6e4d56a2ca78420eb203e7db3
SHA51296fceac30d2154ada4093d9bfb88e0efb00c7b067bbf9d115078542c58b3d634049bd2672b2de3a26b0250301d2f34a88bdbad879e7f6b58729a39a6bc7727c8