Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-05-2024 15:01
Static task
static1
Behavioral task
behavioral1
Sample
Product Requirement Specification.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
Product Requirement Specification.exe
Resource
win11-20240426-en
General
-
Target
Product Requirement Specification.exe
-
Size
717KB
-
MD5
429730ecefe80ea9b11f3265c138d07a
-
SHA1
bda184f72851ae98c67847a94e58abb80ae18d38
-
SHA256
e0a879d49cabbd517cd611b81cd5935e4f024532aa43aeba310650ce2411850c
-
SHA512
5120a18e2ada665695870f12a79540958103cbf7ee5f3f137c7a2242a9b7843294c5a390caf5a1ce8ec98899d8fccb09b1372d85281682ecfcca0256371f9df0
-
SSDEEP
12288:7qMVGPNlfw5660NXE6vEylfnrZ8G+yoLd67a28KSo4wei44yql8DOJUM:7WP48X/vEylfn18aoLd6fSozLWHOWM
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
business29.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
7.s8.{OnUP(S - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
Product Requirement Specification.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Product Requirement Specification.exe -
Processes:
Product Requirement Specification.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths Product Requirement Specification.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Product Requirement Specification.exe = "0" Product Requirement Specification.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Processes:
Product Requirement Specification.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths Product Requirement Specification.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions Product Requirement Specification.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Product Requirement Specification.exe = "0" Product Requirement Specification.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CasPol.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\AWcZJz = "C:\\Users\\Admin\\AppData\\Roaming\\AWcZJz\\AWcZJz.exe" CasPol.exe -
Processes:
Product Requirement Specification.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Product Requirement Specification.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Product Requirement Specification.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 1 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Product Requirement Specification.exedescription pid process target process PID 3324 set thread context of 2064 3324 Product Requirement Specification.exe CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeCasPol.exepid process 648 powershell.exe 648 powershell.exe 2064 CasPol.exe 2064 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeCasPol.exedescription pid process Token: SeDebugPrivilege 648 powershell.exe Token: SeDebugPrivilege 2064 CasPol.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Product Requirement Specification.exedescription pid process target process PID 3324 wrote to memory of 648 3324 Product Requirement Specification.exe powershell.exe PID 3324 wrote to memory of 648 3324 Product Requirement Specification.exe powershell.exe PID 3324 wrote to memory of 2064 3324 Product Requirement Specification.exe CasPol.exe PID 3324 wrote to memory of 2064 3324 Product Requirement Specification.exe CasPol.exe PID 3324 wrote to memory of 2064 3324 Product Requirement Specification.exe CasPol.exe PID 3324 wrote to memory of 2064 3324 Product Requirement Specification.exe CasPol.exe PID 3324 wrote to memory of 2064 3324 Product Requirement Specification.exe CasPol.exe PID 3324 wrote to memory of 2064 3324 Product Requirement Specification.exe CasPol.exe PID 3324 wrote to memory of 2064 3324 Product Requirement Specification.exe CasPol.exe PID 3324 wrote to memory of 2064 3324 Product Requirement Specification.exe CasPol.exe PID 3324 wrote to memory of 4068 3324 Product Requirement Specification.exe CasPol.exe PID 3324 wrote to memory of 4068 3324 Product Requirement Specification.exe CasPol.exe PID 3324 wrote to memory of 4068 3324 Product Requirement Specification.exe CasPol.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
Product Requirement Specification.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Product Requirement Specification.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product Requirement Specification.exe"C:\Users\Admin\AppData\Local\Temp\Product Requirement Specification.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Product Requirement Specification.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctm2d40m.fsm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/648-14-0x00007FFDEFC30000-0x00007FFDF06F2000-memory.dmpFilesize
10.8MB
-
memory/648-23-0x00007FFDEFC30000-0x00007FFDF06F2000-memory.dmpFilesize
10.8MB
-
memory/648-19-0x00000214285B0000-0x00000214285C0000-memory.dmpFilesize
64KB
-
memory/648-16-0x0000021440CF0000-0x0000021440D12000-memory.dmpFilesize
136KB
-
memory/648-17-0x00007FFDEFC30000-0x00007FFDF06F2000-memory.dmpFilesize
10.8MB
-
memory/2064-5-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2064-25-0x0000000006D30000-0x0000000006DC2000-memory.dmpFilesize
584KB
-
memory/2064-29-0x0000000074B2E000-0x0000000074B2F000-memory.dmpFilesize
4KB
-
memory/2064-28-0x0000000008CC0000-0x0000000008CCA000-memory.dmpFilesize
40KB
-
memory/2064-27-0x0000000008D50000-0x0000000008DA0000-memory.dmpFilesize
320KB
-
memory/2064-18-0x0000000074B2E000-0x0000000074B2F000-memory.dmpFilesize
4KB
-
memory/2064-15-0x0000000005F30000-0x00000000064D6000-memory.dmpFilesize
5.6MB
-
memory/2064-20-0x0000000005AB0000-0x0000000005B16000-memory.dmpFilesize
408KB
-
memory/3324-1-0x00007FFDEFC33000-0x00007FFDEFC35000-memory.dmpFilesize
8KB
-
memory/3324-24-0x00007FFDEFC30000-0x00007FFDF06F2000-memory.dmpFilesize
10.8MB
-
memory/3324-0-0x000001D9DC4E0000-0x000001D9DC508000-memory.dmpFilesize
160KB
-
memory/3324-2-0x00007FFDEFC30000-0x00007FFDF06F2000-memory.dmpFilesize
10.8MB
-
memory/3324-3-0x000001D9DE130000-0x000001D9DE136000-memory.dmpFilesize
24KB
-
memory/3324-4-0x000001D9F6B60000-0x000001D9F6BF4000-memory.dmpFilesize
592KB