Resubmissions
23-05-2024 14:32
240523-rwr6naed5w 1023-05-2024 14:31
240523-rvpzxaee27 1023-05-2024 08:41
240523-klg5daba72 10Analysis
-
max time kernel
121s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 14:31
Static task
static1
Behavioral task
behavioral1
Sample
0-13.eml
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0-13.eml
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Ach_Payment_Advice01.gz
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Ach_Payment_Advice01.gz
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
Ach_Payment_Advice01.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Ach_Payment_Advice01.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
email-html-1.html
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
email-html-1.html
Resource
win10v2004-20240508-en
General
-
Target
Ach_Payment_Advice01.exe
-
Size
689KB
-
MD5
eeb0a5f2f2e765bbe937e595ddd0650a
-
SHA1
2a5127e5fdf921547b4ec39e964682469573e1f6
-
SHA256
2869686380724afd713bbefc58c9aceabd90692e27d9de7af96e748b3066d8e9
-
SHA512
46f36ddb5d6dc37ac4d1d0388c87971933e8f8fae7de89d54483b5a900365c786b859b9b7fbd7f721a03ac03025ce800f5ee3ebcb67aa22442d8df1853456ee8
-
SSDEEP
12288:c5h2Xp96Wtlc5ingN/JuXdH7O18x3UObHgf5jFuq4XQM5taSw40fgYYMiwp68kxU:c5UXfvtlc5yC/adbChYjl9c40oRwI81
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7116470912:AAFcUeHH1656vYbBtccMjQVal4iMak99ZmA/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
Ach_Payment_Advice01.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Ach_Payment_Advice01.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
Ach_Payment_Advice01.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Ach_Payment_Advice01.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
Ach_Payment_Advice01.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Ach_Payment_Advice01.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Ach_Payment_Advice01.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ach_Payment_Advice01.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ach_Payment_Advice01.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Ach_Payment_Advice01.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ach_Payment_Advice01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Ach_Payment_Advice01.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Ach_Payment_Advice01.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Ach_Payment_Advice01.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Ach_Payment_Advice01.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ach_Payment_Advice01.exedescription pid process target process PID 2912 set thread context of 2940 2912 Ach_Payment_Advice01.exe regasm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeregasm.exepid process 2668 powershell.exe 2940 regasm.exe 2940 regasm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeregasm.exedescription pid process Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2940 regasm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
regasm.exepid process 2940 regasm.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Ach_Payment_Advice01.exedescription pid process target process PID 2912 wrote to memory of 2668 2912 Ach_Payment_Advice01.exe powershell.exe PID 2912 wrote to memory of 2668 2912 Ach_Payment_Advice01.exe powershell.exe PID 2912 wrote to memory of 2668 2912 Ach_Payment_Advice01.exe powershell.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2940 2912 Ach_Payment_Advice01.exe regasm.exe PID 2912 wrote to memory of 2492 2912 Ach_Payment_Advice01.exe WerFault.exe PID 2912 wrote to memory of 2492 2912 Ach_Payment_Advice01.exe WerFault.exe PID 2912 wrote to memory of 2492 2912 Ach_Payment_Advice01.exe WerFault.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
Ach_Payment_Advice01.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Ach_Payment_Advice01.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ach_Payment_Advice01.exe"C:\Users\Admin\AppData\Local\Temp\Ach_Payment_Advice01.exe"1⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ach_Payment_Advice01.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2940 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2912 -s 6842⤵PID:2492
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2668-23-0x000000001B5C0000-0x000000001B8A2000-memory.dmpFilesize
2.9MB
-
memory/2668-24-0x0000000002860000-0x0000000002868000-memory.dmpFilesize
32KB
-
memory/2912-1-0x0000000000C50000-0x0000000000C6E000-memory.dmpFilesize
120KB
-
memory/2912-2-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmpFilesize
9.9MB
-
memory/2912-3-0x0000000000140000-0x0000000000146000-memory.dmpFilesize
24KB
-
memory/2912-4-0x0000000000320000-0x00000000003B6000-memory.dmpFilesize
600KB
-
memory/2912-40-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmpFilesize
9.9MB
-
memory/2912-39-0x000007FEF5CE3000-0x000007FEF5CE4000-memory.dmpFilesize
4KB
-
memory/2912-0-0x000007FEF5CE3000-0x000007FEF5CE4000-memory.dmpFilesize
4KB
-
memory/2940-22-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2940-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2940-15-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2940-11-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2940-20-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2940-18-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2940-13-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2940-9-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB