Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-05-2024 13:03
General
-
Target
FW CMA SHZ Freight invoice CHN1080769.exe
-
Size
683KB
-
MD5
3288dbaae811a799ea563988c0d78315
-
SHA1
48802f823b253a45d829b15bd0802db54ce35993
-
SHA256
e0e366834de34a6e93035842b46662c2b1b05d350c1218953f8faab632ead3ae
-
SHA512
fc6b2c90ad9c9f2b906a6247230d2f71a0cbe764b0e3ea2c67d49477fb4f81580dd96a5ba2e3d11e92b15f8421b48e8afd7bd06e6d5ee009b8babfc1acf9cc80
-
SSDEEP
12288:3I23I9uvcHdMFGNX/m7EA++tat0kanlWimxg8NBcHYPLICoPw896GpQkR:YYyK+wGGs+sY8283c4THew8EG9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HDTjheWPb.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HDTjheWPb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCE0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52fe09381557a5024960661ba90558621
SHA115a7583268d10cd5fda892f3220739b593b027f3
SHA25626bb5e687569fbfce59b9b798422e51337ed0f6243bea9e818e714710199fd90
SHA5124bab0ecbeab11c17dc841a76f6eaae8a363140c355bf74175cc01150b91e5f0acc0bcb448f2104bdd80c7adfb828197474966aff9e8bc57368c55236f91c7829
-
Filesize
7KB
MD554dda0ac304cccbcb18391a6d953261d
SHA178e524f99e39c0c338cf769fa98a20ad16c3f0d3
SHA25652541dfbcdcb95fd5aae4c86f5f3d2695ae684ece01bb329c8b6bcf9ac289b1d
SHA51245f5627c29fe1b61520fb5dba54ae921941169592ce5d787cfbdad6bc6967120126f3b77af0718e54d1120fef88c2a3692e83f23b446b9d7c807e05f878979de
-
Filesize
264KB
-
Filesize
4KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
4KB
-
Filesize
696KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
648KB
-
Filesize
6.9MB
-
Filesize
528KB
-
Filesize
64KB
-
Filesize
104KB