Analysis
-
max time kernel
115s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe
Resource
win10v2004-20240611-en
General
-
Target
7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe
-
Size
1.1MB
-
MD5
153458c4d28fe80dbc951898df7348a0
-
SHA1
11bd2534f5e073d7de5560193ad582ebf1fbf19a
-
SHA256
7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791
-
SHA512
7ee79443e9fc623c98b30ab396169eaffb06aa046bc373889cf3de6279a1aea432489c98a764e340c72e27cf782668601807d8541343ae54b8d1bc0241f01318
-
SSDEEP
24576:zAHnh+eWsN3skA4RV1Hom2KXMmHas4Y4uqBp9fcOpbQ5:+h+ZkldoPK8Yas4nuqDDpK
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
^NpBYBQ0 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Drops startup file 1 IoCs
Processes:
name.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
Processes:
name.exepid process 4764 name.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mpTrle = "C:\\Users\\Admin\\AppData\\Roaming\\mpTrle\\mpTrle.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 3 api.ipify.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\directory\name.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
name.exedescription pid process target process PID 4764 set thread context of 2192 4764 name.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2312 4764 WerFault.exe name.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2192 RegSvcs.exe 2192 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
name.exepid process 4764 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2192 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exename.exepid process 3080 7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe 3080 7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe 4764 name.exe 4764 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exename.exepid process 3080 7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe 3080 7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe 4764 name.exe 4764 name.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exename.exedescription pid process target process PID 3080 wrote to memory of 4764 3080 7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe name.exe PID 3080 wrote to memory of 4764 3080 7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe name.exe PID 3080 wrote to memory of 4764 3080 7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe name.exe PID 4764 wrote to memory of 2192 4764 name.exe RegSvcs.exe PID 4764 wrote to memory of 2192 4764 name.exe RegSvcs.exe PID 4764 wrote to memory of 2192 4764 name.exe RegSvcs.exe PID 4764 wrote to memory of 2192 4764 name.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe"C:\Users\Admin\AppData\Local\Temp\7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 7003⤵
- Program crash
PID:2312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4764 -ip 47641⤵PID:2760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3984,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:81⤵PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.1MB
MD5153458c4d28fe80dbc951898df7348a0
SHA111bd2534f5e073d7de5560193ad582ebf1fbf19a
SHA2567dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791
SHA5127ee79443e9fc623c98b30ab396169eaffb06aa046bc373889cf3de6279a1aea432489c98a764e340c72e27cf782668601807d8541343ae54b8d1bc0241f01318