Analysis
-
max time kernel
122s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 17:52
Static task
static1
Behavioral task
behavioral1
Sample
Bank advice.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Bank advice.exe
Resource
win10v2004-20240508-en
General
-
Target
Bank advice.exe
-
Size
817KB
-
MD5
35dad19fa73688a3ef7fc6c516a36c6d
-
SHA1
68cd1c02c145a4f485fb05f13b7020c8ab927b70
-
SHA256
29e6828ef675a6d58d449cc71f68897baa9c6e17d2c11286f14a8a7d8a67d6f3
-
SHA512
a464b8a73ee75c7eb612490beba1c858de48902cbf2d3911c76494debdc1b8b3c69f5f7b210ecc3d549944cf5796f445c8d2344c8e08ce8a2678595c037057d8
-
SSDEEP
12288:e8FC7WET/mr9KWFv8cc1dYlNXklEGQQFnoy1Pe/WeKm+0fP9PE2hk4o8umqjAxYn:iWtTv8slNGEGQjy1PeBx+0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.asplparts.com - Port:
587 - Username:
[email protected] - Password:
CPMWkhyu7=b8 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2976 powershell.exe 2632 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Bank advice.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" Bank advice.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank advice.exedescription pid process target process PID 1808 set thread context of 1028 1808 Bank advice.exe Bank advice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
Bank advice.exeBank advice.exepowershell.exepowershell.exepid process 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1808 Bank advice.exe 1028 Bank advice.exe 1028 Bank advice.exe 2976 powershell.exe 2632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Bank advice.exeBank advice.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1808 Bank advice.exe Token: SeDebugPrivilege 1028 Bank advice.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Bank advice.exedescription pid process target process PID 1808 wrote to memory of 2976 1808 Bank advice.exe powershell.exe PID 1808 wrote to memory of 2976 1808 Bank advice.exe powershell.exe PID 1808 wrote to memory of 2976 1808 Bank advice.exe powershell.exe PID 1808 wrote to memory of 2976 1808 Bank advice.exe powershell.exe PID 1808 wrote to memory of 2632 1808 Bank advice.exe powershell.exe PID 1808 wrote to memory of 2632 1808 Bank advice.exe powershell.exe PID 1808 wrote to memory of 2632 1808 Bank advice.exe powershell.exe PID 1808 wrote to memory of 2632 1808 Bank advice.exe powershell.exe PID 1808 wrote to memory of 2380 1808 Bank advice.exe schtasks.exe PID 1808 wrote to memory of 2380 1808 Bank advice.exe schtasks.exe PID 1808 wrote to memory of 2380 1808 Bank advice.exe schtasks.exe PID 1808 wrote to memory of 2380 1808 Bank advice.exe schtasks.exe PID 1808 wrote to memory of 1028 1808 Bank advice.exe Bank advice.exe PID 1808 wrote to memory of 1028 1808 Bank advice.exe Bank advice.exe PID 1808 wrote to memory of 1028 1808 Bank advice.exe Bank advice.exe PID 1808 wrote to memory of 1028 1808 Bank advice.exe Bank advice.exe PID 1808 wrote to memory of 1028 1808 Bank advice.exe Bank advice.exe PID 1808 wrote to memory of 1028 1808 Bank advice.exe Bank advice.exe PID 1808 wrote to memory of 1028 1808 Bank advice.exe Bank advice.exe PID 1808 wrote to memory of 1028 1808 Bank advice.exe Bank advice.exe PID 1808 wrote to memory of 1028 1808 Bank advice.exe Bank advice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank advice.exe"C:\Users\Admin\AppData\Local\Temp\Bank advice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Bank advice.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kPkDDGqTDLPFA.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kPkDDGqTDLPFA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp37A4.tmp"2⤵
- Creates scheduled task(s)
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\Bank advice.exe"C:\Users\Admin\AppData\Local\Temp\Bank advice.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp37A4.tmpFilesize
1KB
MD564f442b4ae70e2d1ffab7b0a3a638b6e
SHA1993df12aebc4b28044a58ff0cb33966577374675
SHA256df7bfd72a1ab29424896ab35cfec3cfd4512c877f57db55716a5f3d505ea3cc7
SHA5126cc495dec23f92e1edfef6ff56ba56f06388806c50e5b89861610964f4b4934f803989378c955ea034b4e21a4d319b44b2f39f10964b24f144bc4ae8e2cf9ae9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5e20e791cc5aa71ef9316db91443f2c4b
SHA1ad239dddef3eae0b53d7d898304b968e350d64f9
SHA2564955f0b4f4dfeec29a85e10ce877bc1a62633ba7c6dc102685eef77f2b09f18d
SHA5125ded875a11bd9d530f4cdfb3d718c031506f056962e18673eee03f6df91e402be9cd55f787e8d6d515dfb6bd43da506be9890a4140789e4240874334523586ad
-
memory/1028-31-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1028-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1028-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1028-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1028-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1028-32-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1028-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1028-27-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1808-7-0x000000007461E000-0x000000007461F000-memory.dmpFilesize
4KB
-
memory/1808-1-0x0000000000EF0000-0x0000000000FC2000-memory.dmpFilesize
840KB
-
memory/1808-2-0x0000000074610000-0x0000000074CFE000-memory.dmpFilesize
6.9MB
-
memory/1808-8-0x0000000074610000-0x0000000074CFE000-memory.dmpFilesize
6.9MB
-
memory/1808-3-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1808-0-0x000000007461E000-0x000000007461F000-memory.dmpFilesize
4KB
-
memory/1808-6-0x0000000004DE0000-0x0000000004E64000-memory.dmpFilesize
528KB
-
memory/1808-5-0x0000000000440000-0x0000000000450000-memory.dmpFilesize
64KB
-
memory/1808-4-0x00000000002B0000-0x00000000002BC000-memory.dmpFilesize
48KB
-
memory/1808-33-0x0000000074610000-0x0000000074CFE000-memory.dmpFilesize
6.9MB