Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe
Resource
win10v2004-20240226-en
General
-
Target
fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe
-
Size
660KB
-
MD5
57ade9cbd347364926d40e16c74c39b1
-
SHA1
ed4af64bfc4de307c62c1cba65949f759d6f5111
-
SHA256
fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a
-
SHA512
fd03e4793cd7e6ce20773b0a83530d1438beab5178b4023993d381017baf22f0e19a82d81eadd8c167624fd5955e97d6cc6dbce64c49d1bc96fbf6d488a59b73
-
SSDEEP
12288:ju+4zi8LkpEaZZoy1XusX4X0G1LiI0ePZYGuTMqo1n/u6req39ee5y7Yh77Zj:yX2jEEGyWNmI0ePjuTMqoFB/9eeIYh77
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bonnyriggdentalsurgery.com.au - Port:
587 - Username:
[email protected] - Password:
Sages101* - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2492 powershell.exe 2560 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\avdfUcC = "C:\\Users\\Admin\\AppData\\Roaming\\avdfUcC\\avdfUcC.exe" fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exepowershell.exepowershell.exepid process 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2492 powershell.exe 2560 powershell.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exedescription pid process target process PID 2812 wrote to memory of 2560 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe powershell.exe PID 2812 wrote to memory of 2560 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe powershell.exe PID 2812 wrote to memory of 2560 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe powershell.exe PID 2812 wrote to memory of 2560 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe powershell.exe PID 2812 wrote to memory of 2492 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe powershell.exe PID 2812 wrote to memory of 2492 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe powershell.exe PID 2812 wrote to memory of 2492 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe powershell.exe PID 2812 wrote to memory of 2492 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe powershell.exe PID 2812 wrote to memory of 2360 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe schtasks.exe PID 2812 wrote to memory of 2360 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe schtasks.exe PID 2812 wrote to memory of 2360 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe schtasks.exe PID 2812 wrote to memory of 2360 2812 fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe"C:\Users\Admin\AppData\Local\Temp\fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ftXzIeBqaqam.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ftXzIeBqaqam" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE56F.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE56F.tmpFilesize
1KB
MD560d738c17055243d739d31c5b96428c5
SHA18fbb9ea31b479e7712bc38b46a0a9d7159c998ca
SHA2568b3d4bebe3a2764045fe75afa4e0a5a64ec5fcd262fa18de77cf2ec5c0f07436
SHA5126781d1501c40ec9f53cc888569ed1d901131f491b033543812793040564246774c96520e72b9ab95938b51c99e7b24a446bc7351db0d7a7ec49c4ccaa9b3276f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XW7NTHEAI3LEKWK1MM06.tempFilesize
7KB
MD5b42643d82f5ad3b2116d518ca61883e5
SHA19736135c4125501a48fa8716d9b9b2e1898168f0
SHA256e9f1b3c29f362211cb275480c99412a4fb50740f0f424bf1d6aa7a40d94ed982
SHA512abe64c662d51a544b288b4b28c5d2bdd6f819902c7f5658182f24ea7bf59177b2db2529b57a7e8d3acacf1382f26baeab2537658058264850513ced55183d38a
-
memory/2812-0-0x0000000077080000-0x0000000077229000-memory.dmpFilesize
1.7MB
-
memory/2812-1-0x0000000001320000-0x00000000013CA000-memory.dmpFilesize
680KB
-
memory/2812-2-0x0000000000610000-0x000000000062A000-memory.dmpFilesize
104KB
-
memory/2812-3-0x0000000000480000-0x0000000000490000-memory.dmpFilesize
64KB
-
memory/2812-4-0x0000000005260000-0x00000000052E4000-memory.dmpFilesize
528KB
-
memory/2812-17-0x0000000005C40000-0x0000000005C82000-memory.dmpFilesize
264KB