Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 12:11
Static task
static1
Behavioral task
behavioral1
Sample
COMPANY PROFILE AND ORDER SPECIFICATIONS.exe
Resource
win7-20240221-en
General
-
Target
COMPANY PROFILE AND ORDER SPECIFICATIONS.exe
-
Size
1.6MB
-
MD5
7cdb0b445f832108ebd3f328e8e1e552
-
SHA1
b38dad9f7796db9ceb5214e9bc1412a6e744ddcb
-
SHA256
545841c0614979992bd1e4da511c9c4564056bdaac05e7ba146a117051555297
-
SHA512
2f89081d1c029aa53120e86809b17025edf7f35e6dbf88186a678f429fc90175e354bc0ca5bd0ec8d777b02ef7e4b9bee781c79641c492d381bc8072b0dd0523
-
SSDEEP
12288:6iTjnBxQhBD39BneCVyy7Ahf5ksed3Kt55Zbx5e5Y8lD8/5KwzxD:6YjnYBDneBKofTeds5zbfe53K5LxD
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pmceg.com - Port:
587 - Username:
[email protected] - Password:
momenmohamed1234@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
COMPANY PROFILE AND ORDER SPECIFICATIONS.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" COMPANY PROFILE AND ORDER SPECIFICATIONS.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
COMPANY PROFILE AND ORDER SPECIFICATIONS.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions COMPANY PROFILE AND ORDER SPECIFICATIONS.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
COMPANY PROFILE AND ORDER SPECIFICATIONS.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools COMPANY PROFILE AND ORDER SPECIFICATIONS.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
COMPANY PROFILE AND ORDER SPECIFICATIONS.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion COMPANY PROFILE AND ORDER SPECIFICATIONS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion COMPANY PROFILE AND ORDER SPECIFICATIONS.exe -
Processes:
COMPANY PROFILE AND ORDER SPECIFICATIONS.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA COMPANY PROFILE AND ORDER SPECIFICATIONS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" COMPANY PROFILE AND ORDER SPECIFICATIONS.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
COMPANY PROFILE AND ORDER SPECIFICATIONS.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum COMPANY PROFILE AND ORDER SPECIFICATIONS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
COMPANY PROFILE AND ORDER SPECIFICATIONS.exedescription pid Process procid_target PID 2856 set thread context of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeregsvcs.exepid Process 2520 powershell.exe 2380 regsvcs.exe 2380 regsvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeregsvcs.exedescription pid Process Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2380 regsvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
regsvcs.exepid Process 2380 regsvcs.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
COMPANY PROFILE AND ORDER SPECIFICATIONS.exedescription pid Process procid_target PID 2856 wrote to memory of 2520 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 29 PID 2856 wrote to memory of 2520 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 29 PID 2856 wrote to memory of 2520 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 29 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2380 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 31 PID 2856 wrote to memory of 2460 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 32 PID 2856 wrote to memory of 2460 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 32 PID 2856 wrote to memory of 2460 2856 COMPANY PROFILE AND ORDER SPECIFICATIONS.exe 32 -
System policy modification 1 TTPs 1 IoCs
Processes:
COMPANY PROFILE AND ORDER SPECIFICATIONS.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" COMPANY PROFILE AND ORDER SPECIFICATIONS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE AND ORDER SPECIFICATIONS.exe"C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE AND ORDER SPECIFICATIONS.exe"1⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE AND ORDER SPECIFICATIONS.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2380
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2856 -s 8402⤵PID:2460
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
2