Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 17:12
Static task
static1
Behavioral task
behavioral1
Sample
67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe
Resource
win7-20240508-en
General
-
Target
67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe
-
Size
718KB
-
MD5
d78328c74038f352a3fc925869c72a6f
-
SHA1
40add36f173997516722233a7f77e6d5820059a0
-
SHA256
67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58
-
SHA512
f0931df42e13e5ce3b77d5cde4532dc21cfe5cc1625b89eab5992687d33ece3baddda95d45ade93ca401605163be2990af8eb6ffccd926fd7154e5e593d7468e
-
SSDEEP
12288:hxK2iNPyCK2xrOomU7kmHS3fbjX3GQDwcpgPGEgA3ltVHkPcoN7QHNqSTmG:O15yC5m4SvbjX398td3ltVVoN7QHNqSP
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.winnerawards.ae - Port:
587 - Username:
[email protected] - Password:
azharwinner - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2772 powershell.exe 2560 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exedescription pid process target process PID 2164 set thread context of 1900 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exepowershell.exepowershell.exeMSBuild.exepid process 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe 2560 powershell.exe 2772 powershell.exe 1900 MSBuild.exe 1900 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exepowershell.exepowershell.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 1900 MSBuild.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exedescription pid process target process PID 2164 wrote to memory of 2772 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe powershell.exe PID 2164 wrote to memory of 2772 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe powershell.exe PID 2164 wrote to memory of 2772 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe powershell.exe PID 2164 wrote to memory of 2772 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe powershell.exe PID 2164 wrote to memory of 2560 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe powershell.exe PID 2164 wrote to memory of 2560 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe powershell.exe PID 2164 wrote to memory of 2560 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe powershell.exe PID 2164 wrote to memory of 2560 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe powershell.exe PID 2164 wrote to memory of 2548 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe schtasks.exe PID 2164 wrote to memory of 2548 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe schtasks.exe PID 2164 wrote to memory of 2548 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe schtasks.exe PID 2164 wrote to memory of 2548 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe schtasks.exe PID 2164 wrote to memory of 3008 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 3008 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 3008 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 3008 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 1900 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 1900 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 1900 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 1900 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 1900 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 1900 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 1900 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 1900 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe PID 2164 wrote to memory of 1900 2164 67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe"C:\Users\Admin\AppData\Local\Temp\67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\67478aaae5e89afc20d6e29500da5a1a3a9c266976a4aae255fe9ebbe4aeef58.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GhhCyrnhmxbj.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhhCyrnhmxbj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9BC3.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dd1e2850d2fd4e6afbb6a237c1266137
SHA19727e34ed60de74a2a83f21f8b29e309257c76b5
SHA256fa2a8e258d37a3f4cede96c2e901250585c84f75745e4ae6722f7faafdfa4ac3
SHA512bd46fc45c8038e7ed1d579d5b0fe09970c78e5dd0a0e6c3f7e158dd94151d94dd7bb0d2cba02b834ab1088bd671a38ff2e93a7111f826ee7a9c47150907f38d4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57c6b41c8eb3004d1cbe3206fd14a2a26
SHA1da1d0637b8a0d1b497791fd0e0c18829cdc02899
SHA256461d128de9d10a78fc6ec686512e65c2b87a3a8e0cbbaaa0c5ee7e615a07022e
SHA512562c491bb7df4739a606da9bce72929b5de644bcbbd8c9f1afee8ec2180ed5818248cb9b979eaa4ca32c8b0983196485f785c3b4ab6aff67cf22142e4e0de1a3