Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 01:01
Behavioral task
behavioral1
Sample
c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe
Resource
win7-20240708-en
General
-
Target
c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe
-
Size
695KB
-
MD5
2ad8181dcb3d4983f5f03e8ac5f8d2a2
-
SHA1
e2f3e332bda9aa7b794b68e134bffef93f8eaf44
-
SHA256
c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b
-
SHA512
2845247be4bb30ed6c4e98afa67d7d48ac067e7f472fb2db99b919880e011153b5d54be95e2d64b464a5c38715f19aac3fb942bb2d09179ccea34f0c8945d219
-
SSDEEP
12288:uYV6MorX7qzuC3QHO9FQVHPF51jgcEM9js/k/oRVJZVsirlvxom4Zs+:NBXu9HGaVHd9js/dV1nEs+
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
pid Process 380 name.exe -
Loads dropped DLL 1 IoCs
pid Process 2180 c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe -
resource yara_rule behavioral1/memory/2180-0-0x0000000000BC0000-0x0000000000D49000-memory.dmp upx behavioral1/files/0x0007000000016d07-14.dat upx behavioral1/memory/2180-16-0x0000000002CF0000-0x0000000002E79000-memory.dmp upx behavioral1/memory/2180-20-0x0000000000BC0000-0x0000000000D49000-memory.dmp upx behavioral1/memory/380-22-0x00000000008A0000-0x0000000000A29000-memory.dmp upx behavioral1/memory/380-41-0x00000000008A0000-0x0000000000A29000-memory.dmp upx -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2180-20-0x0000000000BC0000-0x0000000000D49000-memory.dmp autoit_exe behavioral1/memory/380-22-0x00000000008A0000-0x0000000000A29000-memory.dmp autoit_exe behavioral1/memory/380-41-0x00000000008A0000-0x0000000000A29000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 380 set thread context of 2828 380 name.exe 32 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2828 RegSvcs.exe 2828 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 380 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2828 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2828 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2180 wrote to memory of 380 2180 c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe 31 PID 2180 wrote to memory of 380 2180 c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe 31 PID 2180 wrote to memory of 380 2180 c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe 31 PID 2180 wrote to memory of 380 2180 c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe 31 PID 380 wrote to memory of 2828 380 name.exe 32 PID 380 wrote to memory of 2828 380 name.exe 32 PID 380 wrote to memory of 2828 380 name.exe 32 PID 380 wrote to memory of 2828 380 name.exe 32 PID 380 wrote to memory of 2828 380 name.exe 32 PID 380 wrote to memory of 2828 380 name.exe 32 PID 380 wrote to memory of 2828 380 name.exe 32 PID 380 wrote to memory of 2828 380 name.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe"C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2828
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD520e5c3cbfa296a9f5a51e653758b438a
SHA1f662578e3ea0d36323c24663e908ea29858101a3
SHA25675c8279b4b62516792570ade72af67bca3fe5333ed99ec508a9454723958ec0c
SHA512e47e05df42c55048d05b821a0442bb4652597ebe6b7d26811585707f29b91f595bc397528683fc6684e781e336a2716f884fe5eef0752d122efddb90dc808e08
-
Filesize
28KB
MD556762e6d923e8858546f407aa0c6472e
SHA1d91150c920d714fd8591f5a35967a5aa14fe15e0
SHA256f566ed58f8e7438b7d2e8e08e4e62a989f8646efa37497fa46054cd125163a2a
SHA5124d3d0a94f1c22ee34ce808b4051fc69c5ac25a20985ef78fe749c4ba7d5b872e1ee6ce4cf691bb93e198873a88310278dd7b5919b8aef098283b03db74767d55
-
Filesize
695KB
MD52ad8181dcb3d4983f5f03e8ac5f8d2a2
SHA1e2f3e332bda9aa7b794b68e134bffef93f8eaf44
SHA256c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b
SHA5122845247be4bb30ed6c4e98afa67d7d48ac067e7f472fb2db99b919880e011153b5d54be95e2d64b464a5c38715f19aac3fb942bb2d09179ccea34f0c8945d219