Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 15:09
Static task
static1
Behavioral task
behavioral1
Sample
14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe
Resource
win7-20240508-en
General
-
Target
14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe
-
Size
828KB
-
MD5
83fbcb1487d75d58cafaf8735667ba95
-
SHA1
e4148b6a31ba7501bb2a753276e241f2af5f2c85
-
SHA256
eb79cca838f57ff5f3bf13f3bbce26859ec27d6dbcdc96ada3c2ead3ef27abf7
-
SHA512
51416405bc238f20c365aebd02b4568cecec077b0bef3a6623990c43520d077a52a9af6d21e89e7e3f7e7670db5ac4d671b831115954e85682ad619c19940dbe
-
SSDEEP
12288:Qloc81Htkyyy0K2LACFShFNM1SOrebQrxL7eZBn4cpTaGRq3heykR:Ql0tzyy0KGANW1SOrrxLan4YT+3ho
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.elektronikkutu.com - Port:
587 - Username:
[email protected] - Password:
9U:e3@wpS3:U7h_V - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exedescription pid Process procid_target PID 2084 set thread context of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exeRegSvcs.exepowershell.exepid Process 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 2528 RegSvcs.exe 2528 RegSvcs.exe 2892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exeRegSvcs.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe Token: SeDebugPrivilege 2528 RegSvcs.exe Token: SeDebugPrivilege 2892 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid Process 2528 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exedescription pid Process procid_target PID 2084 wrote to memory of 2892 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 28 PID 2084 wrote to memory of 2892 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 28 PID 2084 wrote to memory of 2892 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 28 PID 2084 wrote to memory of 2892 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 28 PID 2084 wrote to memory of 2624 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 30 PID 2084 wrote to memory of 2624 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 30 PID 2084 wrote to memory of 2624 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 30 PID 2084 wrote to memory of 2624 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 30 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32 PID 2084 wrote to memory of 2528 2084 14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe"C:\Users\Admin\AppData\Local\Temp\14f6dd1f7dd2cd56cff70627a813c9eb85a272fad1c5ae1c73ee2101e531a591.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JYmyaODRDDlILD.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JYmyaODRDDlILD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D00.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b8aab9b72914628d673985190eb87e76
SHA1ad52869739033378e06ff8e5dc60227ee9023987
SHA2561c2b5dbde6aec53c26b75742c4879fff05b76117fda3fe47ef0d6feba9b431d8
SHA512816e084d2bcdfc15e24e21b5d071f882807e6a0acab74ac9a59c0ac00c4b439cc5f385748fae847a0928e3ec3328007bde5278e65d15ef9cf669346af88fb2d7