Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 10:32
Static task
static1
Behavioral task
behavioral1
Sample
3.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
3.exe
Resource
win10v2004-20240611-en
General
-
Target
3.exe
-
Size
1.9MB
-
MD5
7b4c1ed22b968699059bb4717e2665a7
-
SHA1
731e51b1a3d522ea391495271d977e0e4961f203
-
SHA256
d72087da88129a3b1bce3505c119cb418f84bd68659eb33385546b9e33dddb4c
-
SHA512
d0c89dd0b914991ab2eeb4de48f98c46f14888849bf9a116a902fb497ef2b65725e82f8ac8f465172d147d7a9ec6a0fb9ae829f138e0ec3579a79dee48ec03d7
-
SSDEEP
12288:xthPA7R1brgevLbkgpco8BuB+VotGHNq82Qd+Y9J7O+aL229GgPlZqUXJctT:xY7R1YeDogpvB/ktJ2Qd99Q9OsJcx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.oserfech.eu - Port:
587 - Username:
[email protected] - Password:
Epicoffice@2024 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe -
Processes:
3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3.exe = "0" 3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 3.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
3.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions 3.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
3.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools 3.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 3.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3.exe = "0" 3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
regasm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plQRnonsft = "C:\\Users\\Admin\\AppData\\Roaming\\plQRnonsft\\plQRnonsft.exe" regasm.exe -
Processes:
3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 api.ipify.org 19 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3.exedescription pid process target process PID 724 set thread context of 2224 724 3.exe regasm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exeregasm.exepid process 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 2224 regasm.exe 2224 regasm.exe 2224 regasm.exe 2224 regasm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
3.exepowershell.exeregasm.exedescription pid process Token: SeDebugPrivilege 724 3.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 2224 regasm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
3.exedescription pid process target process PID 724 wrote to memory of 1052 724 3.exe powershell.exe PID 724 wrote to memory of 1052 724 3.exe powershell.exe PID 724 wrote to memory of 4604 724 3.exe CasPol.exe PID 724 wrote to memory of 4604 724 3.exe CasPol.exe PID 724 wrote to memory of 4604 724 3.exe CasPol.exe PID 724 wrote to memory of 2224 724 3.exe regasm.exe PID 724 wrote to memory of 2224 724 3.exe regasm.exe PID 724 wrote to memory of 2224 724 3.exe regasm.exe PID 724 wrote to memory of 2224 724 3.exe regasm.exe PID 724 wrote to memory of 2224 724 3.exe regasm.exe PID 724 wrote to memory of 2224 724 3.exe regasm.exe PID 724 wrote to memory of 2224 724 3.exe regasm.exe PID 724 wrote to memory of 2224 724 3.exe regasm.exe PID 724 wrote to memory of 4536 724 3.exe regasm.exe PID 724 wrote to memory of 4536 724 3.exe regasm.exe PID 724 wrote to memory of 4536 724 3.exe regasm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:4604
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵PID:4536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1304,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:81⤵PID:2396
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82