Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 09:23
Static task
static1
Behavioral task
behavioral1
Sample
STATEMENT OF ACCOUNT.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
STATEMENT OF ACCOUNT.exe
Resource
win10v2004-20240226-en
General
-
Target
STATEMENT OF ACCOUNT.exe
-
Size
865KB
-
MD5
f76b4b71b1686a349e4f3c5770b27449
-
SHA1
1c033d5efb45f05d04ec962edd1d626149a0630c
-
SHA256
d46dd8b1ef453a087501831daa8ceddd875ad06a7f13ad06181f61f92e89d96a
-
SHA512
c82148c639149675da30cb638ce401d4f8cfd84ede59e6ce2e4c93585632be401d19bd18a833b6b8a939aa9fddf97f83799a5de2ff986ecfa0bb8ef98ec5ae1d
-
SSDEEP
24576:AMYeI6ZN5iYnadY8GsO98B08izf1nl0aq:AMYeXN5i2ChGSB0dnlq
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1884 powershell.exe 1960 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
STATEMENT OF ACCOUNT.exedescription pid process target process PID 1640 set thread context of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
STATEMENT OF ACCOUNT.exeRegSvcs.exepowershell.exepowershell.exepid process 1640 STATEMENT OF ACCOUNT.exe 1640 STATEMENT OF ACCOUNT.exe 1640 STATEMENT OF ACCOUNT.exe 1640 STATEMENT OF ACCOUNT.exe 1640 STATEMENT OF ACCOUNT.exe 1640 STATEMENT OF ACCOUNT.exe 1640 STATEMENT OF ACCOUNT.exe 552 RegSvcs.exe 552 RegSvcs.exe 1884 powershell.exe 1960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
STATEMENT OF ACCOUNT.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1640 STATEMENT OF ACCOUNT.exe Token: SeDebugPrivilege 552 RegSvcs.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
STATEMENT OF ACCOUNT.exedescription pid process target process PID 1640 wrote to memory of 1884 1640 STATEMENT OF ACCOUNT.exe powershell.exe PID 1640 wrote to memory of 1884 1640 STATEMENT OF ACCOUNT.exe powershell.exe PID 1640 wrote to memory of 1884 1640 STATEMENT OF ACCOUNT.exe powershell.exe PID 1640 wrote to memory of 1884 1640 STATEMENT OF ACCOUNT.exe powershell.exe PID 1640 wrote to memory of 1960 1640 STATEMENT OF ACCOUNT.exe powershell.exe PID 1640 wrote to memory of 1960 1640 STATEMENT OF ACCOUNT.exe powershell.exe PID 1640 wrote to memory of 1960 1640 STATEMENT OF ACCOUNT.exe powershell.exe PID 1640 wrote to memory of 1960 1640 STATEMENT OF ACCOUNT.exe powershell.exe PID 1640 wrote to memory of 1888 1640 STATEMENT OF ACCOUNT.exe schtasks.exe PID 1640 wrote to memory of 1888 1640 STATEMENT OF ACCOUNT.exe schtasks.exe PID 1640 wrote to memory of 1888 1640 STATEMENT OF ACCOUNT.exe schtasks.exe PID 1640 wrote to memory of 1888 1640 STATEMENT OF ACCOUNT.exe schtasks.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe PID 1640 wrote to memory of 552 1640 STATEMENT OF ACCOUNT.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EuSXATwXykccgm.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EuSXATwXykccgm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FF0.tmp"2⤵
- Creates scheduled task(s)
PID:1888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD5983a09ed33371fcadda2ee609ec957fd
SHA1d28e0d3ba4516899edc3b199c79e99cde20133c4
SHA25649de5773bd5f64a8bdf31cbddd581c90b045b4581160fcb078c4c1a4aacc4671
SHA5128f748137af4c34db397cd3e2e51aa7b4d23f5e8431a18cb6a82fa5863d431d269ec4147ff6e6d875634d02819ac80593a50c4ab9faac4a68634933502869a2f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6HYXZPAA5JCYT1SX7NM5.temp
Filesize7KB
MD5ef7fa4c54abfa0cf5a37364b4518aae4
SHA16df15da029ef5f56bd3643c36ff7379fd74a58d0
SHA25665f061f89d2b62066d7a6f8198103be4460df8683e7dd605c2025c237bd72900
SHA512c4703a1dde5aef31355baf9d3116cba8463b81b7c539aef044c96ad10bdcd4a6a43e924f3102bdc54fb83e037537cb3a777c5d28a59504e09df1bf5a990682d4