Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe
Resource
win10v2004-20240226-en
General
-
Target
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe
-
Size
832KB
-
MD5
624287a4c65dc15c11448ab9a18b197d
-
SHA1
985e68377849c429f8408863ae67850827cf7fa0
-
SHA256
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040
-
SHA512
ae16afa727451cb17795d83b74eec5c1f84681852eedd5970306837ec41cba4f6c881c130215e478d53aa87e3b310bb9854d000008e5dd69c7d60f3b5a5c7a66
-
SSDEEP
24576:1Mm5SH6MIl3LkGDhsmD/U0UN/qiCggCTYRL:1Mm5Lnl7kSU1yijXMRL
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.nsoftonline.com - Port:
587 - Username:
[email protected] - Password:
7vG97f@j7 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
Processes:
bets.exepid process 4884 bets.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bets = "C:\\Users\\Admin\\AppData\\Roaming\\bets.exe" reg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 51 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bets.exedescription pid process target process PID 4884 set thread context of 2960 4884 bets.exe InstallUtil.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 832 PING.EXE 2436 PING.EXE 2988 PING.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exebets.exeInstallUtil.exepid process 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe 4884 bets.exe 4884 bets.exe 4884 bets.exe 4884 bets.exe 2960 InstallUtil.exe 2960 InstallUtil.exe 2960 InstallUtil.exe 2960 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exebets.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe Token: SeDebugPrivilege 4884 bets.exe Token: SeDebugPrivilege 2960 InstallUtil.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.execmd.execmd.exebets.exedescription pid process target process PID 1424 wrote to memory of 2800 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 1424 wrote to memory of 2800 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 1424 wrote to memory of 2800 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 2800 wrote to memory of 832 2800 cmd.exe PING.EXE PID 2800 wrote to memory of 832 2800 cmd.exe PING.EXE PID 2800 wrote to memory of 832 2800 cmd.exe PING.EXE PID 1424 wrote to memory of 4236 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 1424 wrote to memory of 4236 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 1424 wrote to memory of 4236 1424 35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe cmd.exe PID 4236 wrote to memory of 2436 4236 cmd.exe PING.EXE PID 4236 wrote to memory of 2436 4236 cmd.exe PING.EXE PID 4236 wrote to memory of 2436 4236 cmd.exe PING.EXE PID 2800 wrote to memory of 2656 2800 cmd.exe reg.exe PID 2800 wrote to memory of 2656 2800 cmd.exe reg.exe PID 2800 wrote to memory of 2656 2800 cmd.exe reg.exe PID 4236 wrote to memory of 2988 4236 cmd.exe PING.EXE PID 4236 wrote to memory of 2988 4236 cmd.exe PING.EXE PID 4236 wrote to memory of 2988 4236 cmd.exe PING.EXE PID 4236 wrote to memory of 4884 4236 cmd.exe bets.exe PID 4236 wrote to memory of 4884 4236 cmd.exe bets.exe PID 4236 wrote to memory of 4884 4236 cmd.exe bets.exe PID 4884 wrote to memory of 2960 4884 bets.exe InstallUtil.exe PID 4884 wrote to memory of 2960 4884 bets.exe InstallUtil.exe PID 4884 wrote to memory of 2960 4884 bets.exe InstallUtil.exe PID 4884 wrote to memory of 2960 4884 bets.exe InstallUtil.exe PID 4884 wrote to memory of 2960 4884 bets.exe InstallUtil.exe PID 4884 wrote to memory of 2960 4884 bets.exe InstallUtil.exe PID 4884 wrote to memory of 2960 4884 bets.exe InstallUtil.exe PID 4884 wrote to memory of 2960 4884 bets.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe"C:\Users\Admin\AppData\Local\Temp\35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bets" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bets.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 83⤵
- Runs ping.exe
PID:832 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bets" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bets.exe"3⤵
- Adds Run key to start application
PID:2656 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\Users\Admin\AppData\Local\Temp\35d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040.exe" "C:\Users\Admin\AppData\Roaming\bets.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\AppData\Roaming\bets.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
PID:2436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
PID:2988 -
C:\Users\Admin\AppData\Roaming\bets.exe"C:\Users\Admin\AppData\Roaming\bets.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832KB
MD5624287a4c65dc15c11448ab9a18b197d
SHA1985e68377849c429f8408863ae67850827cf7fa0
SHA25635d380ecc9dd9ec0c1ceb4185baaa283caf1bfcb012ffc79a98569126fc5a040
SHA512ae16afa727451cb17795d83b74eec5c1f84681852eedd5970306837ec41cba4f6c881c130215e478d53aa87e3b310bb9854d000008e5dd69c7d60f3b5a5c7a66