Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 10:32
Static task
static1
Behavioral task
behavioral1
Sample
3.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
3.exe
Resource
win10v2004-20240611-en
General
-
Target
3.exe
-
Size
1.9MB
-
MD5
7b4c1ed22b968699059bb4717e2665a7
-
SHA1
731e51b1a3d522ea391495271d977e0e4961f203
-
SHA256
d72087da88129a3b1bce3505c119cb418f84bd68659eb33385546b9e33dddb4c
-
SHA512
d0c89dd0b914991ab2eeb4de48f98c46f14888849bf9a116a902fb497ef2b65725e82f8ac8f465172d147d7a9ec6a0fb9ae829f138e0ec3579a79dee48ec03d7
-
SSDEEP
12288:xthPA7R1brgevLbkgpco8BuB+VotGHNq82Qd+Y9J7O+aL229GgPlZqUXJctT:xY7R1YeDogpvB/ktJ2Qd99Q9OsJcx
Malware Config
Extracted
Protocol: smtp- Host:
mail.oserfech.eu - Port:
587 - Username:
[email protected] - Password:
Epicoffice@2024
Extracted
agenttesla
Protocol: smtp- Host:
mail.oserfech.eu - Port:
587 - Username:
[email protected] - Password:
Epicoffice@2024 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
3.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions 3.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
3.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools 3.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CasPol.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\plQRnonsft = "C:\\Users\\Admin\\AppData\\Roaming\\plQRnonsft\\plQRnonsft.exe" CasPol.exe -
Processes:
3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3.exedescription pid process target process PID 2212 set thread context of 2732 2212 3.exe CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeCasPol.exepid process 2616 powershell.exe 2732 CasPol.exe 2732 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
3.exepowershell.exeCasPol.exedescription pid process Token: SeDebugPrivilege 2212 3.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2732 CasPol.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CasPol.exepid process 2732 CasPol.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
3.exedescription pid process target process PID 2212 wrote to memory of 2616 2212 3.exe powershell.exe PID 2212 wrote to memory of 2616 2212 3.exe powershell.exe PID 2212 wrote to memory of 2616 2212 3.exe powershell.exe PID 2212 wrote to memory of 2052 2212 3.exe jsc.exe PID 2212 wrote to memory of 2052 2212 3.exe jsc.exe PID 2212 wrote to memory of 2052 2212 3.exe jsc.exe PID 2212 wrote to memory of 2052 2212 3.exe jsc.exe PID 2212 wrote to memory of 2732 2212 3.exe CasPol.exe PID 2212 wrote to memory of 2732 2212 3.exe CasPol.exe PID 2212 wrote to memory of 2732 2212 3.exe CasPol.exe PID 2212 wrote to memory of 2732 2212 3.exe CasPol.exe PID 2212 wrote to memory of 2732 2212 3.exe CasPol.exe PID 2212 wrote to memory of 2732 2212 3.exe CasPol.exe PID 2212 wrote to memory of 2732 2212 3.exe CasPol.exe PID 2212 wrote to memory of 2732 2212 3.exe CasPol.exe PID 2212 wrote to memory of 2732 2212 3.exe CasPol.exe PID 2212 wrote to memory of 1156 2212 3.exe WerFault.exe PID 2212 wrote to memory of 1156 2212 3.exe WerFault.exe PID 2212 wrote to memory of 1156 2212 3.exe WerFault.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵PID:2052
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2212 -s 10322⤵PID:1156
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
2