Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:59
Static task
static1
Behavioral task
behavioral1
Sample
FW CMA SHZ Freight invoice CHN1080769.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FW CMA SHZ Freight invoice CHN1080769.exe
Resource
win10v2004-20240226-en
General
-
Target
FW CMA SHZ Freight invoice CHN1080769.exe
-
Size
683KB
-
MD5
3288dbaae811a799ea563988c0d78315
-
SHA1
48802f823b253a45d829b15bd0802db54ce35993
-
SHA256
e0e366834de34a6e93035842b46662c2b1b05d350c1218953f8faab632ead3ae
-
SHA512
fc6b2c90ad9c9f2b906a6247230d2f71a0cbe764b0e3ea2c67d49477fb4f81580dd96a5ba2e3d11e92b15f8421b48e8afd7bd06e6d5ee009b8babfc1acf9cc80
-
SSDEEP
12288:3I23I9uvcHdMFGNX/m7EA++tat0kanlWimxg8NBcHYPLICoPw896GpQkR:YYyK+wGGs+sY8283c4THew8EG9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1608 powershell.exe 948 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exedescription pid process target process PID 2228 set thread context of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exeRegSvcs.exepowershell.exepowershell.exepid process 2228 FW CMA SHZ Freight invoice CHN1080769.exe 2228 FW CMA SHZ Freight invoice CHN1080769.exe 2228 FW CMA SHZ Freight invoice CHN1080769.exe 2228 FW CMA SHZ Freight invoice CHN1080769.exe 2228 FW CMA SHZ Freight invoice CHN1080769.exe 2228 FW CMA SHZ Freight invoice CHN1080769.exe 2228 FW CMA SHZ Freight invoice CHN1080769.exe 464 RegSvcs.exe 464 RegSvcs.exe 1608 powershell.exe 948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2228 FW CMA SHZ Freight invoice CHN1080769.exe Token: SeDebugPrivilege 464 RegSvcs.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exedescription pid process target process PID 2228 wrote to memory of 1608 2228 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 2228 wrote to memory of 1608 2228 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 2228 wrote to memory of 1608 2228 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 2228 wrote to memory of 1608 2228 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 2228 wrote to memory of 948 2228 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 2228 wrote to memory of 948 2228 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 2228 wrote to memory of 948 2228 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 2228 wrote to memory of 948 2228 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 2228 wrote to memory of 1760 2228 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 2228 wrote to memory of 1760 2228 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 2228 wrote to memory of 1760 2228 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 2228 wrote to memory of 1760 2228 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 2228 wrote to memory of 464 2228 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HDTjheWPb.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HDTjheWPb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC37.tmp"2⤵
- Creates scheduled task(s)
PID:1760 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAC37.tmpFilesize
1KB
MD52fe09381557a5024960661ba90558621
SHA115a7583268d10cd5fda892f3220739b593b027f3
SHA25626bb5e687569fbfce59b9b798422e51337ed0f6243bea9e818e714710199fd90
SHA5124bab0ecbeab11c17dc841a76f6eaae8a363140c355bf74175cc01150b91e5f0acc0bcb448f2104bdd80c7adfb828197474966aff9e8bc57368c55236f91c7829
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a5e2b99cb461512731715faa36bf1a0f
SHA17f6e39a3b3e618196ffde52afef63e76c59731a2
SHA256a5fb746e1c6d9fa2bd4d09e30dc2c22bc620f689d2704d4779306d4c18ccfee9
SHA512f8b5d46fda1e38a48c379b331eac5c3aab4a60dba5dd4b2fbe6d4fc5f79f0e05edaafe10068b5e0a84050950eafb65fd77e4b62ccf68a87265f820aeb805d757
-
memory/464-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/464-20-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/464-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/464-24-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/464-26-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/464-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/464-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/464-31-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2228-4-0x0000000000560000-0x000000000057A000-memory.dmpFilesize
104KB
-
memory/2228-7-0x0000000074EDE000-0x0000000074EDF000-memory.dmpFilesize
4KB
-
memory/2228-32-0x0000000074ED0000-0x00000000755BE000-memory.dmpFilesize
6.9MB
-
memory/2228-6-0x00000000053F0000-0x0000000005474000-memory.dmpFilesize
528KB
-
memory/2228-5-0x00000000003D0000-0x00000000003E0000-memory.dmpFilesize
64KB
-
memory/2228-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmpFilesize
4KB
-
memory/2228-3-0x0000000004890000-0x0000000004932000-memory.dmpFilesize
648KB
-
memory/2228-2-0x0000000074ED0000-0x00000000755BE000-memory.dmpFilesize
6.9MB
-
memory/2228-1-0x0000000000CC0000-0x0000000000D6E000-memory.dmpFilesize
696KB