Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 12:10
Static task
static1
Behavioral task
behavioral1
Sample
Material Attached.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Material Attached.exe
Resource
win10v2004-20240611-en
General
-
Target
Material Attached.exe
-
Size
983KB
-
MD5
a7a11d7dc16fef60c09830725b1d70f5
-
SHA1
c351ed457dd5855594b7def5804fbd785dfcb370
-
SHA256
247231562ac357a1ccf0770b35d4bd7b140a98e677b1a31f825ba9d020e51eb0
-
SHA512
054328aa10643e97b8b04e0190332d1a8b4dab3f7cd0116cb7cfff3145ef99e17fcccf2080586671483b5f942246f4d2d0e2c30633909231418f8008ed264cbe
-
SSDEEP
12288:map8vZ89HTpiwVuWcWzDSVYFCVmKVa9FcxSPBk4mO/mKU6S+P4g0H6qx/gup+5Ac:m6kLwA7WzsnQSSPBPm+7hw7sejpLAtEg
Malware Config
Extracted
Protocol: smtp- Host:
webmail.standardengg-works.com - Port:
587 - Username:
[email protected] - Password:
welcomesew42ac
Extracted
agenttesla
Protocol: smtp- Host:
webmail.standardengg-works.com - Port:
587 - Username:
[email protected] - Password:
welcomesew42ac - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2384 powershell.exe 2412 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\VmkjVd = "C:\\Users\\Admin\\AppData\\Roaming\\VmkjVd\\VmkjVd.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Material Attached.exedescription pid Process procid_target PID 3012 set thread context of 2808 3012 Material Attached.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
Material Attached.exeRegSvcs.exepowershell.exepowershell.exepid Process 3012 Material Attached.exe 3012 Material Attached.exe 3012 Material Attached.exe 3012 Material Attached.exe 3012 Material Attached.exe 3012 Material Attached.exe 3012 Material Attached.exe 2808 RegSvcs.exe 2808 RegSvcs.exe 2384 powershell.exe 2412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Material Attached.exeRegSvcs.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 3012 Material Attached.exe Token: SeDebugPrivilege 2808 RegSvcs.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid Process 2808 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Material Attached.exedescription pid Process procid_target PID 3012 wrote to memory of 2384 3012 Material Attached.exe 28 PID 3012 wrote to memory of 2384 3012 Material Attached.exe 28 PID 3012 wrote to memory of 2384 3012 Material Attached.exe 28 PID 3012 wrote to memory of 2384 3012 Material Attached.exe 28 PID 3012 wrote to memory of 2412 3012 Material Attached.exe 30 PID 3012 wrote to memory of 2412 3012 Material Attached.exe 30 PID 3012 wrote to memory of 2412 3012 Material Attached.exe 30 PID 3012 wrote to memory of 2412 3012 Material Attached.exe 30 PID 3012 wrote to memory of 2624 3012 Material Attached.exe 31 PID 3012 wrote to memory of 2624 3012 Material Attached.exe 31 PID 3012 wrote to memory of 2624 3012 Material Attached.exe 31 PID 3012 wrote to memory of 2624 3012 Material Attached.exe 31 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34 PID 3012 wrote to memory of 2808 3012 Material Attached.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kDtrwbEktsDpCd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kDtrwbEktsDpCd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7169.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e24b795e062083d1c6b97b37ce69a25c
SHA1e95821380d8d0f1c001f1d97d073c50dccc6ba28
SHA2564f70af7b44382695555d1f26841112ea04c6fda05f3e5ecac9008309b9f5f2cc
SHA5124a1afebc3acd9921d1e1d395453a8a7d7dc2f8d41c1bf65b4813193c8bfbe7d923dbe5b658f0e0eb8fb5f0d73f640021df557f1bb8f8282463357eee4d7c41bb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3FO364L27K6TLJOGO8KC.temp
Filesize7KB
MD5e184671217f5ab78d6c798c6351411ef
SHA181fdbd843635ba805fbc5c8109496f6da3d49b27
SHA256b6891991bb366dc140867a2ad4fb7e31c2c220cce1e0b4204aeb3a00dd129c1d
SHA512196196dc68a4d53e5dab72f7815f48d4f58c6a67030946af7a648cc76902d87abfeb3ede55fc44dc54ab0ab9872223fcdf17b9bf5050a7f045dc3abf2ecc5d83