Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 15:11
Static task
static1
Behavioral task
behavioral1
Sample
IMG_160750_311608.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
IMG_160750_311608.exe
Resource
win10v2004-20240508-en
General
-
Target
IMG_160750_311608.exe
-
Size
1.9MB
-
MD5
08271ffa8f7e596d7fa17aa47226ef9d
-
SHA1
f5dcda432d515083a8536e07777c5748ca1f945d
-
SHA256
a705803d36a853fea252b00451b392245ee4d66f9c830778d021cdefaf252136
-
SHA512
f95aa625f2f8fde20f089fd1380de22af42a3696309744e958897b3c67b19877bef6c34a1d5f046b9dc0359ac1ac06bc6c60d969392b77de0f4ae68b976c2dc9
-
SSDEEP
24576:p9TE0vEWbFPN50sUgzpiDRx+XKq3ilh5TGqneE/9qkZRFnb0HjE9EPil:pNE08WbY5pzb0HjEOu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
zqamcx.com - Port:
587 - Username:
[email protected] - Password:
Methodman991 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
IMG10.exeIMG10.exepid Process 1960 IMG10.exe 3576 IMG10.exe -
Loads dropped DLL 2 IoCs
Processes:
IMG_160750_311608.exeIMG10.exepid Process 1556 IMG_160750_311608.exe 1960 IMG10.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
IMG_160750_311608.exeIMG10.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\lojziw = "C:\\Users\\Admin\\AppData\\Roaming\\lojziw.exe" IMG_160750_311608.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG10.exe\" .." IMG10.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
IMG_160750_311608.exeIMG10.exedescription pid Process procid_target PID 1556 set thread context of 1728 1556 IMG_160750_311608.exe 32 PID 1960 set thread context of 3576 1960 IMG10.exe 42 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exepid Process 2892 ipconfig.exe 2964 ipconfig.exe 3356 ipconfig.exe 3688 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
IMG_160750_311608.exepid Process 1728 IMG_160750_311608.exe 1728 IMG_160750_311608.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
IMG_160750_311608.exeIMG10.exeIMG_160750_311608.exedescription pid Process Token: SeDebugPrivilege 1556 IMG_160750_311608.exe Token: SeDebugPrivilege 1556 IMG_160750_311608.exe Token: SeDebugPrivilege 1960 IMG10.exe Token: SeDebugPrivilege 1728 IMG_160750_311608.exe Token: SeDebugPrivilege 1960 IMG10.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMG_160750_311608.exepid Process 1728 IMG_160750_311608.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
IMG_160750_311608.execmd.execmd.exeIMG10.execmd.execmd.exedescription pid Process procid_target PID 1556 wrote to memory of 2288 1556 IMG_160750_311608.exe 28 PID 1556 wrote to memory of 2288 1556 IMG_160750_311608.exe 28 PID 1556 wrote to memory of 2288 1556 IMG_160750_311608.exe 28 PID 1556 wrote to memory of 2288 1556 IMG_160750_311608.exe 28 PID 2288 wrote to memory of 2892 2288 cmd.exe 30 PID 2288 wrote to memory of 2892 2288 cmd.exe 30 PID 2288 wrote to memory of 2892 2288 cmd.exe 30 PID 2288 wrote to memory of 2892 2288 cmd.exe 30 PID 1556 wrote to memory of 1960 1556 IMG_160750_311608.exe 31 PID 1556 wrote to memory of 1960 1556 IMG_160750_311608.exe 31 PID 1556 wrote to memory of 1960 1556 IMG_160750_311608.exe 31 PID 1556 wrote to memory of 1960 1556 IMG_160750_311608.exe 31 PID 1556 wrote to memory of 1728 1556 IMG_160750_311608.exe 32 PID 1556 wrote to memory of 1728 1556 IMG_160750_311608.exe 32 PID 1556 wrote to memory of 1728 1556 IMG_160750_311608.exe 32 PID 1556 wrote to memory of 1728 1556 IMG_160750_311608.exe 32 PID 1556 wrote to memory of 1728 1556 IMG_160750_311608.exe 32 PID 1556 wrote to memory of 1728 1556 IMG_160750_311608.exe 32 PID 1556 wrote to memory of 1728 1556 IMG_160750_311608.exe 32 PID 1556 wrote to memory of 1728 1556 IMG_160750_311608.exe 32 PID 1556 wrote to memory of 1728 1556 IMG_160750_311608.exe 32 PID 1556 wrote to memory of 924 1556 IMG_160750_311608.exe 33 PID 1556 wrote to memory of 924 1556 IMG_160750_311608.exe 33 PID 1556 wrote to memory of 924 1556 IMG_160750_311608.exe 33 PID 1556 wrote to memory of 924 1556 IMG_160750_311608.exe 33 PID 924 wrote to memory of 2964 924 cmd.exe 35 PID 924 wrote to memory of 2964 924 cmd.exe 35 PID 924 wrote to memory of 2964 924 cmd.exe 35 PID 924 wrote to memory of 2964 924 cmd.exe 35 PID 1960 wrote to memory of 3324 1960 IMG10.exe 37 PID 1960 wrote to memory of 3324 1960 IMG10.exe 37 PID 1960 wrote to memory of 3324 1960 IMG10.exe 37 PID 1960 wrote to memory of 3324 1960 IMG10.exe 37 PID 3324 wrote to memory of 3356 3324 cmd.exe 39 PID 3324 wrote to memory of 3356 3324 cmd.exe 39 PID 3324 wrote to memory of 3356 3324 cmd.exe 39 PID 3324 wrote to memory of 3356 3324 cmd.exe 39 PID 1960 wrote to memory of 3576 1960 IMG10.exe 42 PID 1960 wrote to memory of 3576 1960 IMG10.exe 42 PID 1960 wrote to memory of 3576 1960 IMG10.exe 42 PID 1960 wrote to memory of 3576 1960 IMG10.exe 42 PID 1960 wrote to memory of 3576 1960 IMG10.exe 42 PID 1960 wrote to memory of 3576 1960 IMG10.exe 42 PID 1960 wrote to memory of 3576 1960 IMG10.exe 42 PID 1960 wrote to memory of 3576 1960 IMG10.exe 42 PID 1960 wrote to memory of 3576 1960 IMG10.exe 42 PID 1960 wrote to memory of 3648 1960 IMG10.exe 43 PID 1960 wrote to memory of 3648 1960 IMG10.exe 43 PID 1960 wrote to memory of 3648 1960 IMG10.exe 43 PID 1960 wrote to memory of 3648 1960 IMG10.exe 43 PID 3648 wrote to memory of 3688 3648 cmd.exe 45 PID 3648 wrote to memory of 3688 3648 cmd.exe 45 PID 3648 wrote to memory of 3688 3648 cmd.exe 45 PID 3648 wrote to memory of 3688 3648 cmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe"C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:2892
-
-
-
C:\Users\Admin\AppData\Local\Temp\IMG10.exe"C:\Users\Admin\AppData\Local\Temp\IMG10.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- Gathers network information
PID:3356
-
-
-
C:\Users\Admin\AppData\Local\Temp\IMG10.exe"C:\Users\Admin\AppData\Local\Temp\IMG10.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3576
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
PID:3688
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe"C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:2964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD583dea7a1bff3c0606fa9700b811feb81
SHA13bef939c9d351ef4cb01b9fb115e8a75b32c643c
SHA2565d6246c1a67038c308228bb3b07c59073af9ec393b8961f0df397622fe3d364d
SHA5128883aac7cc117961a44c203c8e615a71b90da4e239b3bd03bbee925969ea43347b7a2f4f041c912bd71c350c44e8dcbb80688f732254f2f09ea1df957a62880a