Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:18
Static task
static1
Behavioral task
behavioral1
Sample
USD BANK DETAILS.PNG.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
USD BANK DETAILS.PNG.exe
Resource
win10v2004-20240508-en
General
-
Target
USD BANK DETAILS.PNG.exe
-
Size
670KB
-
MD5
41373fb609440bc4177a1db81e594b69
-
SHA1
d67b37e144112e75cea9aa32f3c29775c8cfe045
-
SHA256
39fe44328453edb4688201f0d3c6c0d07baa65d92ee1c5e0ad496bc71d1b0c9b
-
SHA512
bc7305c0375cb972ad151c4320704fef47c6f266d692ba44ce278e12e07b06030a0aa42593d5e68f2ce9ecb112543417eab883c9e0787b7cb17a415b4899313b
-
SSDEEP
12288:CCguti8LkpEatDtW4uBiCv4CFXuOkq9b6O9P7Q0NRUONkR:Fj4jEiWliCwwu8oYP7Q0NRUn
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.shaktiinstrumentations.in - Port:
587 - Username:
[email protected] - Password:
Shakti54231!@#$%#@! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2680 powershell.exe 2900 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
USD BANK DETAILS.PNG.exedescription pid process target process PID 1796 set thread context of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
USD BANK DETAILS.PNG.exepowershell.exepowershell.exeRegSvcs.exepid process 1796 USD BANK DETAILS.PNG.exe 1796 USD BANK DETAILS.PNG.exe 1796 USD BANK DETAILS.PNG.exe 1796 USD BANK DETAILS.PNG.exe 1796 USD BANK DETAILS.PNG.exe 1796 USD BANK DETAILS.PNG.exe 1796 USD BANK DETAILS.PNG.exe 2680 powershell.exe 2900 powershell.exe 3012 RegSvcs.exe 3012 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
USD BANK DETAILS.PNG.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1796 USD BANK DETAILS.PNG.exe Token: SeDebugPrivilege 3012 RegSvcs.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
USD BANK DETAILS.PNG.exedescription pid process target process PID 1796 wrote to memory of 2680 1796 USD BANK DETAILS.PNG.exe powershell.exe PID 1796 wrote to memory of 2680 1796 USD BANK DETAILS.PNG.exe powershell.exe PID 1796 wrote to memory of 2680 1796 USD BANK DETAILS.PNG.exe powershell.exe PID 1796 wrote to memory of 2680 1796 USD BANK DETAILS.PNG.exe powershell.exe PID 1796 wrote to memory of 2900 1796 USD BANK DETAILS.PNG.exe powershell.exe PID 1796 wrote to memory of 2900 1796 USD BANK DETAILS.PNG.exe powershell.exe PID 1796 wrote to memory of 2900 1796 USD BANK DETAILS.PNG.exe powershell.exe PID 1796 wrote to memory of 2900 1796 USD BANK DETAILS.PNG.exe powershell.exe PID 1796 wrote to memory of 1736 1796 USD BANK DETAILS.PNG.exe schtasks.exe PID 1796 wrote to memory of 1736 1796 USD BANK DETAILS.PNG.exe schtasks.exe PID 1796 wrote to memory of 1736 1796 USD BANK DETAILS.PNG.exe schtasks.exe PID 1796 wrote to memory of 1736 1796 USD BANK DETAILS.PNG.exe schtasks.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe PID 1796 wrote to memory of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\USD BANK DETAILS.PNG.exe"C:\Users\Admin\AppData\Local\Temp\USD BANK DETAILS.PNG.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\USD BANK DETAILS.PNG.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\waNwgSaPPjkOka.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\waNwgSaPPjkOka" /XML "C:\Users\Admin\AppData\Local\Temp\tmp675B.tmp"2⤵
- Creates scheduled task(s)
PID:1736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ed9f5a6aebcf1c94a6a6abacf27ab5be
SHA18af93cb1201053182426d2cb03015840ef4cb1bd
SHA2566d2ebd1b432cd4163ef564acc80770becb245a324db6730d2140e96df575d19b
SHA5123d717fa582dbb6abdb1170538afed9c1d15bb388016ed7b6bfc11f64787204913312835aa5018a55dad90f042043862fbd0c79db5a4de6793c11f6560fb54454
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2XKTZ9ZDX1QBS9UH7EAQ.temp
Filesize7KB
MD5389313d43e98027ad0bd2712581ce688
SHA17936ff76ef9aa8f38dc432880c02f06915f13f03
SHA256f1f5562055be484018e135ad24ace0e1671dd648432fb221d73409931803f75d
SHA512f5637cc1ea03ddd6ea75fd88a36ce56d50f45696111dbf02ab2c3e19d35d9ecd80ea0d904c0a64cfd98e68b21d8543284739f396b9f820833b25c72502a0d799