Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 15:01
Static task
static1
Behavioral task
behavioral1
Sample
Product Requirement Specification.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
Product Requirement Specification.exe
Resource
win11-20240426-en
General
-
Target
Product Requirement Specification.exe
-
Size
717KB
-
MD5
429730ecefe80ea9b11f3265c138d07a
-
SHA1
bda184f72851ae98c67847a94e58abb80ae18d38
-
SHA256
e0a879d49cabbd517cd611b81cd5935e4f024532aa43aeba310650ce2411850c
-
SHA512
5120a18e2ada665695870f12a79540958103cbf7ee5f3f137c7a2242a9b7843294c5a390caf5a1ce8ec98899d8fccb09b1372d85281682ecfcca0256371f9df0
-
SSDEEP
12288:7qMVGPNlfw5660NXE6vEylfnrZ8G+yoLd67a28KSo4wei44yql8DOJUM:7WP48X/vEylfn18aoLd6fSozLWHOWM
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
business29.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
7.s8.{OnUP(S - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
Product Requirement Specification.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Product Requirement Specification.exe -
Processes:
Product Requirement Specification.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths Product Requirement Specification.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Product Requirement Specification.exe = "0" Product Requirement Specification.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Product Requirement Specification.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Product Requirement Specification.exe -
Processes:
Product Requirement Specification.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths Product Requirement Specification.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions Product Requirement Specification.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Product Requirement Specification.exe = "0" Product Requirement Specification.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
installutil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWcZJz = "C:\\Users\\Admin\\AppData\\Roaming\\AWcZJz\\AWcZJz.exe" installutil.exe -
Processes:
Product Requirement Specification.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Product Requirement Specification.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Product Requirement Specification.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 api.ipify.org 29 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Product Requirement Specification.exedescription pid process target process PID 4396 set thread context of 1516 4396 Product Requirement Specification.exe installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeinstallutil.exepid process 2816 powershell.exe 2816 powershell.exe 1516 installutil.exe 1516 installutil.exe 1516 installutil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeinstallutil.exedescription pid process Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 1516 installutil.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Product Requirement Specification.exedescription pid process target process PID 4396 wrote to memory of 2816 4396 Product Requirement Specification.exe powershell.exe PID 4396 wrote to memory of 2816 4396 Product Requirement Specification.exe powershell.exe PID 4396 wrote to memory of 2424 4396 Product Requirement Specification.exe CasPol.exe PID 4396 wrote to memory of 2424 4396 Product Requirement Specification.exe CasPol.exe PID 4396 wrote to memory of 2424 4396 Product Requirement Specification.exe CasPol.exe PID 4396 wrote to memory of 3916 4396 Product Requirement Specification.exe AddInProcess32.exe PID 4396 wrote to memory of 3916 4396 Product Requirement Specification.exe AddInProcess32.exe PID 4396 wrote to memory of 3916 4396 Product Requirement Specification.exe AddInProcess32.exe PID 4396 wrote to memory of 1364 4396 Product Requirement Specification.exe regsvcs.exe PID 4396 wrote to memory of 1364 4396 Product Requirement Specification.exe regsvcs.exe PID 4396 wrote to memory of 1364 4396 Product Requirement Specification.exe regsvcs.exe PID 4396 wrote to memory of 2232 4396 Product Requirement Specification.exe regasm.exe PID 4396 wrote to memory of 2232 4396 Product Requirement Specification.exe regasm.exe PID 4396 wrote to memory of 2232 4396 Product Requirement Specification.exe regasm.exe PID 4396 wrote to memory of 1516 4396 Product Requirement Specification.exe installutil.exe PID 4396 wrote to memory of 1516 4396 Product Requirement Specification.exe installutil.exe PID 4396 wrote to memory of 1516 4396 Product Requirement Specification.exe installutil.exe PID 4396 wrote to memory of 1516 4396 Product Requirement Specification.exe installutil.exe PID 4396 wrote to memory of 1516 4396 Product Requirement Specification.exe installutil.exe PID 4396 wrote to memory of 1516 4396 Product Requirement Specification.exe installutil.exe PID 4396 wrote to memory of 1516 4396 Product Requirement Specification.exe installutil.exe PID 4396 wrote to memory of 1516 4396 Product Requirement Specification.exe installutil.exe PID 4396 wrote to memory of 4856 4396 Product Requirement Specification.exe installutil.exe PID 4396 wrote to memory of 4856 4396 Product Requirement Specification.exe installutil.exe PID 4396 wrote to memory of 4856 4396 Product Requirement Specification.exe installutil.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
Product Requirement Specification.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Product Requirement Specification.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product Requirement Specification.exe"C:\Users\Admin\AppData\Local\Temp\Product Requirement Specification.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Product Requirement Specification.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5keexoej.4sf.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1516-28-0x0000000008610000-0x000000000861A000-memory.dmpFilesize
40KB
-
memory/1516-27-0x0000000008E50000-0x0000000008EA0000-memory.dmpFilesize
320KB
-
memory/1516-25-0x0000000006DF0000-0x0000000006E82000-memory.dmpFilesize
584KB
-
memory/1516-23-0x0000000005B10000-0x0000000005B76000-memory.dmpFilesize
408KB
-
memory/1516-22-0x00000000060C0000-0x0000000006664000-memory.dmpFilesize
5.6MB
-
memory/1516-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2816-16-0x00007FFA8AA40000-0x00007FFA8B501000-memory.dmpFilesize
10.8MB
-
memory/2816-17-0x00007FFA8AA40000-0x00007FFA8B501000-memory.dmpFilesize
10.8MB
-
memory/2816-20-0x00007FFA8AA40000-0x00007FFA8B501000-memory.dmpFilesize
10.8MB
-
memory/2816-15-0x00007FFA8AA40000-0x00007FFA8B501000-memory.dmpFilesize
10.8MB
-
memory/2816-14-0x0000021A5FCC0000-0x0000021A5FCE2000-memory.dmpFilesize
136KB
-
memory/4396-0-0x0000024C938B0000-0x0000024C938D8000-memory.dmpFilesize
160KB
-
memory/4396-4-0x0000024CADF90000-0x0000024CAE024000-memory.dmpFilesize
592KB
-
memory/4396-24-0x00007FFA8AA40000-0x00007FFA8B501000-memory.dmpFilesize
10.8MB
-
memory/4396-3-0x0000024C954A0000-0x0000024C954A6000-memory.dmpFilesize
24KB
-
memory/4396-2-0x00007FFA8AA40000-0x00007FFA8B501000-memory.dmpFilesize
10.8MB
-
memory/4396-1-0x00007FFA8AA43000-0x00007FFA8AA45000-memory.dmpFilesize
8KB