Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 08:39
Static task
static1
Behavioral task
behavioral1
Sample
New Text Document.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Text Document.exe
Resource
win10v2004-20240426-en
General
-
Target
New Text Document.exe
-
Size
4KB
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
Malware Config
Extracted
Protocol: smtp- Host:
mail.officeemailbackup.com - Port:
587 - Username:
[email protected] - Password:
*L_n.e3}D?ky
Extracted
agenttesla
Protocol: smtp- Host:
mail.officeemailbackup.com - Port:
587 - Username:
[email protected] - Password:
*L_n.e3}D?ky - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
New Text Document.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation New Text Document.exe -
Executes dropped EXE 2 IoCs
Processes:
csrss.exeDefault.exepid process 2624 csrss.exe 3704 Default.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 api.ipify.org 26 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
csrss.exedescription pid process target process PID 2624 set thread context of 3092 2624 csrss.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jsc.exepid process 3092 jsc.exe 3092 jsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
New Text Document.execsrss.exejsc.exedescription pid process Token: SeDebugPrivilege 3552 New Text Document.exe Token: SeDebugPrivilege 2624 csrss.exe Token: SeDebugPrivilege 3092 jsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jsc.exepid process 3092 jsc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
New Text Document.execsrss.exedescription pid process target process PID 3552 wrote to memory of 2624 3552 New Text Document.exe csrss.exe PID 3552 wrote to memory of 2624 3552 New Text Document.exe csrss.exe PID 3552 wrote to memory of 3704 3552 New Text Document.exe Default.exe PID 3552 wrote to memory of 3704 3552 New Text Document.exe Default.exe PID 2624 wrote to memory of 2000 2624 csrss.exe msbuild.exe PID 2624 wrote to memory of 2000 2624 csrss.exe msbuild.exe PID 2624 wrote to memory of 2000 2624 csrss.exe msbuild.exe PID 2624 wrote to memory of 3092 2624 csrss.exe jsc.exe PID 2624 wrote to memory of 3092 2624 csrss.exe jsc.exe PID 2624 wrote to memory of 3092 2624 csrss.exe jsc.exe PID 2624 wrote to memory of 3092 2624 csrss.exe jsc.exe PID 2624 wrote to memory of 3092 2624 csrss.exe jsc.exe PID 2624 wrote to memory of 3092 2624 csrss.exe jsc.exe PID 2624 wrote to memory of 3092 2624 csrss.exe jsc.exe PID 2624 wrote to memory of 3092 2624 csrss.exe jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a\csrss.exe"C:\Users\Admin\AppData\Local\Temp\a\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\a\Default.exe"C:\Users\Admin\AppData\Local\Temp\a\Default.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a\Default.exeFilesize
874KB
MD55342dce42b8256f33b5387ae829c0231
SHA16e199a9e7d35ecd6ca085f43c441cfb2028bddf3
SHA256e812a611cdb2998e688ca8bb2a9066d58491db98ed1a503ad42cfad5a9f41ad8
SHA51291d270a482e3a7494de79ffe6afc9d58af9c266a1187e63ae3ce4ff5967550fffebd685fcdfdc045ed99bfe88a9c527fd8f46e45a04e2ffbab0270cdc6b5f968
-
C:\Users\Admin\AppData\Local\Temp\a\csrss.exeFilesize
794KB
MD554799fee84c11edd9e0b221612bf2631
SHA1bfbdc60eb14ca180b2143f3a16d38d73cf9126f5
SHA2565e55822bd00aac0865436cac6f7a6a8f881cd3ce027474a5b741f43a94c84095
SHA512a903c9b729eabe05e258cc026e01539f22cd9dc98d625b8ccbfbf5900fafc5acaf063d01f9a7bd0d0be84890bd30fb85f23cce9006f65f86d4b8460ab2dafd08
-
memory/2624-29-0x000002BA7F590000-0x000002BA7F596000-memory.dmpFilesize
24KB
-
memory/2624-30-0x000002BA7F800000-0x000002BA7F894000-memory.dmpFilesize
592KB
-
memory/2624-14-0x000002BA64FF0000-0x000002BA6502C000-memory.dmpFilesize
240KB
-
memory/2624-15-0x00007FF992430000-0x00007FF992EF1000-memory.dmpFilesize
10.8MB
-
memory/2624-34-0x00007FF992430000-0x00007FF992EF1000-memory.dmpFilesize
10.8MB
-
memory/3092-36-0x0000000006DE0000-0x0000000006E7C000-memory.dmpFilesize
624KB
-
memory/3092-31-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/3092-32-0x0000000005CB0000-0x0000000006254000-memory.dmpFilesize
5.6MB
-
memory/3092-33-0x0000000005770000-0x00000000057D6000-memory.dmpFilesize
408KB
-
memory/3092-35-0x0000000006CF0000-0x0000000006D40000-memory.dmpFilesize
320KB
-
memory/3092-37-0x0000000006F20000-0x0000000006FB2000-memory.dmpFilesize
584KB
-
memory/3092-38-0x0000000006EA0000-0x0000000006EAA000-memory.dmpFilesize
40KB
-
memory/3552-0-0x00007FF992433000-0x00007FF992435000-memory.dmpFilesize
8KB
-
memory/3552-1-0x0000000000B90000-0x0000000000B98000-memory.dmpFilesize
32KB
-
memory/3552-2-0x00007FF992430000-0x00007FF992EF1000-memory.dmpFilesize
10.8MB
-
memory/3552-40-0x00007FF992430000-0x00007FF992EF1000-memory.dmpFilesize
10.8MB
-
memory/3704-27-0x00000000007D0000-0x00000000008AC000-memory.dmpFilesize
880KB