Analysis
-
max time kernel
138s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 01:06
Static task
static1
Behavioral task
behavioral1
Sample
5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe
Resource
win10v2004-20240426-en
General
-
Target
5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe
-
Size
553KB
-
MD5
1c4a8ce3141c818a47cc7884a1e628f5
-
SHA1
5ce55e99104e28d85b3673010efadc57f011db0b
-
SHA256
5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536
-
SHA512
959929a696078657bed97f4aaf25de9e7e07a9da86bf1c1ad9f3fb207772e2ec052e3f44a365c097820b1b5aafd71f67e8f9d628e6a2f7ca6d42d4a2ab24183e
-
SSDEEP
12288:6qiSdb7nBOvasD05Inm8zMc//bbtI+TAmAIxMH6WKz:3fPB77Onm8zMc/jCTH6vz
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.sunlacn.com - Port:
587 - Username:
[email protected] - Password:
#_57J#lnfgQs
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2220-33-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2220-30-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2220-29-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2220-26-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2220-24-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/2052-3-0x0000000001E10000-0x0000000001E1C000-memory.dmp CustAttr -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid Process 2972 powershell.exe 1936 powershell.exe 1996 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\newapp = "C:\\Users\\Admin\\AppData\\Roaming\\newapp\\newapp.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exedescription pid Process procid_target PID 2052 set thread context of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exeRegSvcs.exepowershell.exepowershell.exepowershell.exepid Process 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 2220 RegSvcs.exe 2220 RegSvcs.exe 1936 powershell.exe 1996 powershell.exe 2972 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exeRegSvcs.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe Token: SeDebugPrivilege 2220 RegSvcs.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exedescription pid Process procid_target PID 2052 wrote to memory of 2972 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 30 PID 2052 wrote to memory of 2972 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 30 PID 2052 wrote to memory of 2972 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 30 PID 2052 wrote to memory of 2972 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 30 PID 2052 wrote to memory of 1936 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 32 PID 2052 wrote to memory of 1936 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 32 PID 2052 wrote to memory of 1936 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 32 PID 2052 wrote to memory of 1936 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 32 PID 2052 wrote to memory of 1916 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 34 PID 2052 wrote to memory of 1916 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 34 PID 2052 wrote to memory of 1916 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 34 PID 2052 wrote to memory of 1916 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 34 PID 2052 wrote to memory of 1996 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 36 PID 2052 wrote to memory of 1996 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 36 PID 2052 wrote to memory of 1996 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 36 PID 2052 wrote to memory of 1996 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 36 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38 PID 2052 wrote to memory of 2220 2052 5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe"C:\Users\Admin\AppData\Local\Temp\5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5186efdfdceb4fa893f40ac77d48ea439cf222d52637b6e8387053906234d536.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OCFgeyqT.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OCFgeyqT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9EDE.tmp"2⤵
- Creates scheduled task(s)
PID:1916
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OCFgeyqT.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD552cc55a1abcfedf041e140a6f57b3cbe
SHA1fddbb00e09f0c4587c2ac2d83b162c142450a379
SHA25642fe91d7d1dafdb925cdb0a11c65c8eee31612216e77ae2d49a818bc72a11a42
SHA512aefc91cf29bf6adc9a293e3b09605357d7d98761a4f21c30c137e8848e73cc28fb8910a1b5865dbbcc61b2c14f7daae1332174d4fe45578176b9f0c5872b0b14
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PSDZEB2AC6TTB0DXFURS.temp
Filesize7KB
MD5148c392a69c5a63db2da6bc571458541
SHA144847cff868cf2724b4f90d7fdebcac995aef5b4
SHA2561ecf4ac043f9a343a3c3be8bf680f5e95874056982ceb8ed95d384dde178ad4a
SHA51220a838aa828534766a3711cf5164d2922ed132db765811f4ec52c4e6d879585d0067cce7860751b85bdb55cae0aeb1d18eae9a3738d1a065b3c29fbeb1634827