Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
ordinul de cotatie.exe
Resource
win7-20240221-en
General
-
Target
ordinul de cotatie.exe
-
Size
670KB
-
MD5
ed3815b037a3f57bfc35bc4b6c97c3a4
-
SHA1
034cded1a5c78337d11a3b4a0f9b62c270b51862
-
SHA256
bf2117027a187100dc80baf714dac0341c8f18fdd5e562248c43685ac0ceca29
-
SHA512
35a733c79702faf74ffed972eb2e2aef139713a4306634c4f3adb9ca6f9667442af24113efb23e1289ab66d64f02ce56e2406d3df98a52806a63ae90321b11ca
-
SSDEEP
12288:e8EMgXHfAhdhdSsLjQ05GzUPCLDMtUNGQeLq06ShFVr1KFABkeXOaId:e8jgvAhXfQ05Gz3LDUmnAqYjfXXOaI
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6708321519:AAH9WPgZQN8mlLl2zn6ccUEu4DYMqGCeTcQ/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2980 powershell.exe 2668 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ordinul de cotatie.exedescription pid process target process PID 856 set thread context of 2592 856 ordinul de cotatie.exe ordinul de cotatie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ordinul de cotatie.exepowershell.exepowershell.exepid process 2592 ordinul de cotatie.exe 2592 ordinul de cotatie.exe 2668 powershell.exe 2980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ordinul de cotatie.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2592 ordinul de cotatie.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ordinul de cotatie.exepid process 2592 ordinul de cotatie.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
ordinul de cotatie.exedescription pid process target process PID 856 wrote to memory of 2980 856 ordinul de cotatie.exe powershell.exe PID 856 wrote to memory of 2980 856 ordinul de cotatie.exe powershell.exe PID 856 wrote to memory of 2980 856 ordinul de cotatie.exe powershell.exe PID 856 wrote to memory of 2980 856 ordinul de cotatie.exe powershell.exe PID 856 wrote to memory of 2668 856 ordinul de cotatie.exe powershell.exe PID 856 wrote to memory of 2668 856 ordinul de cotatie.exe powershell.exe PID 856 wrote to memory of 2668 856 ordinul de cotatie.exe powershell.exe PID 856 wrote to memory of 2668 856 ordinul de cotatie.exe powershell.exe PID 856 wrote to memory of 2652 856 ordinul de cotatie.exe schtasks.exe PID 856 wrote to memory of 2652 856 ordinul de cotatie.exe schtasks.exe PID 856 wrote to memory of 2652 856 ordinul de cotatie.exe schtasks.exe PID 856 wrote to memory of 2652 856 ordinul de cotatie.exe schtasks.exe PID 856 wrote to memory of 2592 856 ordinul de cotatie.exe ordinul de cotatie.exe PID 856 wrote to memory of 2592 856 ordinul de cotatie.exe ordinul de cotatie.exe PID 856 wrote to memory of 2592 856 ordinul de cotatie.exe ordinul de cotatie.exe PID 856 wrote to memory of 2592 856 ordinul de cotatie.exe ordinul de cotatie.exe PID 856 wrote to memory of 2592 856 ordinul de cotatie.exe ordinul de cotatie.exe PID 856 wrote to memory of 2592 856 ordinul de cotatie.exe ordinul de cotatie.exe PID 856 wrote to memory of 2592 856 ordinul de cotatie.exe ordinul de cotatie.exe PID 856 wrote to memory of 2592 856 ordinul de cotatie.exe ordinul de cotatie.exe PID 856 wrote to memory of 2592 856 ordinul de cotatie.exe ordinul de cotatie.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ordinul de cotatie.exe"C:\Users\Admin\AppData\Local\Temp\ordinul de cotatie.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ordinul de cotatie.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lVKVSUhnFGi.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVKVSUhnFGi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E0A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ordinul de cotatie.exe"C:\Users\Admin\AppData\Local\Temp\ordinul de cotatie.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3E0A.tmpFilesize
1KB
MD54b9e436ecc2d668c6d9e9f376a20125a
SHA1f7c83f5581ecb0bb316adb0806fd511c83872c61
SHA2567c9e4fe1c003182877ca59b11329b1d1ce8fb30127b720f5af089103ba8c2c06
SHA5121c9ae35b7bfbe78d5ad309ba52f81ce9fd73a9a97174a2a465e338a3dbc5e715863f64f47f1f10ca8bbb9cefeb8a8751b98cfb5fce6f025035553db25fd4cb0a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5df5d5eee8c7979688d2c696410641477
SHA1533ae5c018f33daf8b0fa8a0b081719c1149fb6c
SHA25683a6705a479851889c314be32b5dd902ce60116a7891601b9fe066a55985eb89
SHA512b393aabb4c40c754b30f1164069920c07ae0b95b7b22604013f55c94d569218474a19d05b26731e4e4860134815c233ff2755a2cea1a7a612e9649cfd2562dfb
-
memory/856-4-0x0000000000690000-0x00000000006AA000-memory.dmpFilesize
104KB
-
memory/856-31-0x0000000074800000-0x0000000074EEE000-memory.dmpFilesize
6.9MB
-
memory/856-0-0x000000007480E000-0x000000007480F000-memory.dmpFilesize
4KB
-
memory/856-5-0x0000000000490000-0x00000000004A0000-memory.dmpFilesize
64KB
-
memory/856-6-0x00000000052E0000-0x0000000005362000-memory.dmpFilesize
520KB
-
memory/856-2-0x0000000074800000-0x0000000074EEE000-memory.dmpFilesize
6.9MB
-
memory/856-1-0x0000000000D10000-0x0000000000DBE000-memory.dmpFilesize
696KB
-
memory/856-3-0x00000000042D0000-0x0000000004372000-memory.dmpFilesize
648KB
-
memory/2592-20-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2592-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2592-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2592-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2592-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2592-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2592-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2592-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB