Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 14:25
Static task
static1
Behavioral task
behavioral1
Sample
DkJr5Ana0qQ1M3U.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
DkJr5Ana0qQ1M3U.exe
Resource
win10v2004-20240508-en
General
-
Target
DkJr5Ana0qQ1M3U.exe
-
Size
844KB
-
MD5
1449687555ad3c34204cbb9dc286603a
-
SHA1
e43f55d0e375853f27c9786193d7614289c7f7b6
-
SHA256
14ce526032b5ba32eee02d91119ed9fe15b9590b18a359d04627e1e97d7a6e86
-
SHA512
d848e98b6031a1d092e9652fed86f4346fcad44d6c5a68bf9776a02f373047f01b72a7b7fd5004950c1f458a2607659cc3415d837e6e7650387bd3909925da76
-
SSDEEP
12288:sWx504bFtx504bFWxmiuHPRNaQZiZ5hfPBTdPl5yyuQCUGWcfPFkwV8fFX37a:Jw4bjw4bquH5N125TAPQsXFkhn7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.airfilterstechnologies.com - Port:
587 - Username:
[email protected] - Password:
#airfilterstechnologies - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2888 powershell.exe 3052 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DkJr5Ana0qQ1M3U.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\avdfUcC = "C:\\Users\\Admin\\AppData\\Roaming\\avdfUcC\\avdfUcC.exe" DkJr5Ana0qQ1M3U.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
DkJr5Ana0qQ1M3U.exepowershell.exepowershell.exepid process 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2888 powershell.exe 3052 powershell.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe 2860 DkJr5Ana0qQ1M3U.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DkJr5Ana0qQ1M3U.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2860 DkJr5Ana0qQ1M3U.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DkJr5Ana0qQ1M3U.exedescription pid process target process PID 2860 wrote to memory of 2888 2860 DkJr5Ana0qQ1M3U.exe powershell.exe PID 2860 wrote to memory of 2888 2860 DkJr5Ana0qQ1M3U.exe powershell.exe PID 2860 wrote to memory of 2888 2860 DkJr5Ana0qQ1M3U.exe powershell.exe PID 2860 wrote to memory of 2888 2860 DkJr5Ana0qQ1M3U.exe powershell.exe PID 2860 wrote to memory of 3052 2860 DkJr5Ana0qQ1M3U.exe powershell.exe PID 2860 wrote to memory of 3052 2860 DkJr5Ana0qQ1M3U.exe powershell.exe PID 2860 wrote to memory of 3052 2860 DkJr5Ana0qQ1M3U.exe powershell.exe PID 2860 wrote to memory of 3052 2860 DkJr5Ana0qQ1M3U.exe powershell.exe PID 2860 wrote to memory of 2548 2860 DkJr5Ana0qQ1M3U.exe schtasks.exe PID 2860 wrote to memory of 2548 2860 DkJr5Ana0qQ1M3U.exe schtasks.exe PID 2860 wrote to memory of 2548 2860 DkJr5Ana0qQ1M3U.exe schtasks.exe PID 2860 wrote to memory of 2548 2860 DkJr5Ana0qQ1M3U.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DkJr5Ana0qQ1M3U.exe"C:\Users\Admin\AppData\Local\Temp\DkJr5Ana0qQ1M3U.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DkJr5Ana0qQ1M3U.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uLhLhiEXSD.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uLhLhiEXSD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp517A.tmp"2⤵
- Creates scheduled task(s)
PID:2548
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp517A.tmpFilesize
1KB
MD518ce0b2d86ad8e1ffd04a1850fc5e3af
SHA13ac6484293d0ed0b360a1a28e76c31c37aa29b0d
SHA25650e8ac3424f108b7ba64c5869f96e6f77f6cd7e1b17793c6fd17ca51996e6c66
SHA512544f7b34ef7109419bd161ae8e57d7d86db2f031f49dd55a7593a088e35b6edbaa49fffad90c34ceaff7e8d1b754716f0e0c12d3f80572773411d499f3a8a9e0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O3YE17SUCHZUWVDNAIEQ.tempFilesize
7KB
MD5d4c411b794fb3f038f2e6e033f91dcec
SHA107051e58844bc7d5b5206805048c533a37a0af19
SHA256e1ca78ff7841ca69e34576f52f97c79b88610d7708481528eeab64d6426cb276
SHA512bb4feae099e1261d0abfb8917bcc3cb1f87cfaaa0078b877e26c58430482ba47bf47abfbdc2e02ff0905079daa5dc6b0e31abe8cd0fe4dd8a7a7d58c55822bdb
-
memory/2860-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmpFilesize
4KB
-
memory/2860-1-0x0000000000180000-0x0000000000256000-memory.dmpFilesize
856KB
-
memory/2860-3-0x0000000073F30000-0x000000007461E000-memory.dmpFilesize
6.9MB
-
memory/2860-2-0x0000000000920000-0x000000000093A000-memory.dmpFilesize
104KB
-
memory/2860-4-0x0000000000940000-0x0000000000950000-memory.dmpFilesize
64KB
-
memory/2860-5-0x0000000005060000-0x00000000050E4000-memory.dmpFilesize
528KB
-
memory/2860-18-0x0000000004BC0000-0x0000000004C02000-memory.dmpFilesize
264KB
-
memory/2860-19-0x0000000073F3E000-0x0000000073F3F000-memory.dmpFilesize
4KB
-
memory/2860-20-0x0000000073F30000-0x000000007461E000-memory.dmpFilesize
6.9MB