Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 17:37
Static task
static1
Behavioral task
behavioral1
Sample
845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe
Resource
win10v2004-20240611-en
General
-
Target
845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe
-
Size
1.1MB
-
MD5
87eb4ab4033081b7f43d983be380eaaf
-
SHA1
7417d9006b798ebdf722a5372b885de86fcc73ff
-
SHA256
845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce
-
SHA512
89e83526479df625c9e5e73108ec7c37c2573409de8c85c3a09e3b9984d8cb8a515b88d6fff89a2ccbf45a19da8f246a926d744e9797e5bf6e77e7dbb312a291
-
SSDEEP
24576:vCMd92C77NeTxXQo72s3cz1QGsbdnRHj:vld92eeTxAj9QtZn
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.naveentour.com - Port:
587 - Username:
[email protected] - Password:
nav!T6u2@001 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1260 powershell.exe 2708 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exedescription pid process target process PID 2256 set thread context of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exepowershell.exepowershell.exeRegSvcs.exepid process 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe 2708 powershell.exe 1260 powershell.exe 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe 2716 RegSvcs.exe 2716 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 2716 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exedescription pid process target process PID 2256 wrote to memory of 1260 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe powershell.exe PID 2256 wrote to memory of 1260 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe powershell.exe PID 2256 wrote to memory of 1260 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe powershell.exe PID 2256 wrote to memory of 1260 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe powershell.exe PID 2256 wrote to memory of 2708 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe powershell.exe PID 2256 wrote to memory of 2708 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe powershell.exe PID 2256 wrote to memory of 2708 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe powershell.exe PID 2256 wrote to memory of 2708 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe powershell.exe PID 2256 wrote to memory of 2916 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe schtasks.exe PID 2256 wrote to memory of 2916 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe schtasks.exe PID 2256 wrote to memory of 2916 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe schtasks.exe PID 2256 wrote to memory of 2916 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe schtasks.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe PID 2256 wrote to memory of 2716 2256 845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe"C:\Users\Admin\AppData\Local\Temp\845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TcfmupXpmmXUQ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TcfmupXpmmXUQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp471E.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5eed12542d7bab04d9f3e1ba72fad6562
SHA17955343c57cb219a86e323c49e4092a9891417d0
SHA256d845349357b0bb3cc59ef31dc8ab7500959d61b9eaab17115cfe1ca4f8e3d8ff
SHA51293a753682125d888c3ee14bd167e55d48275c938ff851b4072b28decd593498d0e41f7b327de9f78a1e5cf89750971b92f76d389dc869db17ba7f50a456bedfb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MNFG0VKZ2CTG7Z14OGDQ.temp
Filesize7KB
MD53902083084e4d6b4be90de74a0a42f42
SHA12df69c560f5715694057d5afbdd2b49b92c8adb8
SHA25622f993918a3ebd8eaafd5ae992b5ec82b53c7daeaeed17f158e698d9279018c0
SHA5124c464a085d12340fdffbb7a953e4d16ca7c8aa2ec699a3a6ad79c251f92b1606a6baf93e796a6bfc97273d49b9cc206c94b9999186908479c324147e98288870