Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 09:50
Static task
static1
Behavioral task
behavioral1
Sample
Additional Agreement5432.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Additional Agreement5432.exe
Resource
win10v2004-20240426-en
General
-
Target
Additional Agreement5432.exe
-
Size
1.0MB
-
MD5
c31af689c2a98a34e4372db20e0468e0
-
SHA1
a00007373d00cd7519d5c3520743d2fc7d7c05d6
-
SHA256
589a2ca9b2c36da41ee6d7366e35c943f6c6165719e6e699c6b9dccedb4a6503
-
SHA512
2bd225c396f07c0395fefd1ba14c1e53fa6311b54a097934bb19ee6a17236b24c120ba6314fffefdd5660e82a2a377bb986ea5541acb5dc19072ee7383725363
-
SSDEEP
24576:jAHnh+eWsN3skA4RV1Hom2KXMmHawhJDLYbQeDtC6LZG5:uh+ZkldoPK8Yaw3s5DY6LS
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
s30.securelayernetwork.com - Port:
587 - Username:
[email protected] - Password:
%lmb-a,[(1ty - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe" RegSvcs.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Additional Agreement5432.exedescription pid process target process PID 2908 set thread context of 1736 2908 Additional Agreement5432.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1736 RegSvcs.exe 1736 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Additional Agreement5432.exepid process 2908 Additional Agreement5432.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1736 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Additional Agreement5432.exepid process 2908 Additional Agreement5432.exe 2908 Additional Agreement5432.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Additional Agreement5432.exepid process 2908 Additional Agreement5432.exe 2908 Additional Agreement5432.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Additional Agreement5432.exedescription pid process target process PID 2908 wrote to memory of 1736 2908 Additional Agreement5432.exe RegSvcs.exe PID 2908 wrote to memory of 1736 2908 Additional Agreement5432.exe RegSvcs.exe PID 2908 wrote to memory of 1736 2908 Additional Agreement5432.exe RegSvcs.exe PID 2908 wrote to memory of 1736 2908 Additional Agreement5432.exe RegSvcs.exe PID 2908 wrote to memory of 1736 2908 Additional Agreement5432.exe RegSvcs.exe PID 2908 wrote to memory of 1736 2908 Additional Agreement5432.exe RegSvcs.exe PID 2908 wrote to memory of 1736 2908 Additional Agreement5432.exe RegSvcs.exe PID 2908 wrote to memory of 1736 2908 Additional Agreement5432.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Additional Agreement5432.exe"C:\Users\Admin\AppData\Local\Temp\Additional Agreement5432.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Additional Agreement5432.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736