Analysis
-
max time kernel
18s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 21:25
Static task
static1
Behavioral task
behavioral1
Sample
04673533c7fbdda693710153531ffc40N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
04673533c7fbdda693710153531ffc40N.exe
Resource
win10v2004-20240730-en
General
-
Target
04673533c7fbdda693710153531ffc40N.exe
-
Size
881KB
-
MD5
04673533c7fbdda693710153531ffc40
-
SHA1
88a460822400b0ae932ec99c7c334f83b6f391d9
-
SHA256
9c88bb71aa34b21af48ac9cba57f99476b2c31032b09c90b868e357dcdb471fd
-
SHA512
924bdc15281808abe3697205193c719d306541acc085705c20dd28b6168d97087a946b4ecaea258385bdebba43971edb01182a91c197c3b6fc13d128e1f27825
-
SSDEEP
24576:ryLOsEpHaAiLjPxj4um3Gkr4WvHYuX0J:ryLOsEp6AMJnsXv4dJ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3060 powershell.exe 2316 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2088 set thread context of 2640 2088 04673533c7fbdda693710153531ffc40N.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04673533c7fbdda693710153531ffc40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04673533c7fbdda693710153531ffc40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1652 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2640 04673533c7fbdda693710153531ffc40N.exe 2640 04673533c7fbdda693710153531ffc40N.exe 2316 powershell.exe 3060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2640 04673533c7fbdda693710153531ffc40N.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2088 wrote to memory of 3060 2088 04673533c7fbdda693710153531ffc40N.exe 30 PID 2088 wrote to memory of 3060 2088 04673533c7fbdda693710153531ffc40N.exe 30 PID 2088 wrote to memory of 3060 2088 04673533c7fbdda693710153531ffc40N.exe 30 PID 2088 wrote to memory of 3060 2088 04673533c7fbdda693710153531ffc40N.exe 30 PID 2088 wrote to memory of 2316 2088 04673533c7fbdda693710153531ffc40N.exe 32 PID 2088 wrote to memory of 2316 2088 04673533c7fbdda693710153531ffc40N.exe 32 PID 2088 wrote to memory of 2316 2088 04673533c7fbdda693710153531ffc40N.exe 32 PID 2088 wrote to memory of 2316 2088 04673533c7fbdda693710153531ffc40N.exe 32 PID 2088 wrote to memory of 1652 2088 04673533c7fbdda693710153531ffc40N.exe 34 PID 2088 wrote to memory of 1652 2088 04673533c7fbdda693710153531ffc40N.exe 34 PID 2088 wrote to memory of 1652 2088 04673533c7fbdda693710153531ffc40N.exe 34 PID 2088 wrote to memory of 1652 2088 04673533c7fbdda693710153531ffc40N.exe 34 PID 2088 wrote to memory of 2640 2088 04673533c7fbdda693710153531ffc40N.exe 36 PID 2088 wrote to memory of 2640 2088 04673533c7fbdda693710153531ffc40N.exe 36 PID 2088 wrote to memory of 2640 2088 04673533c7fbdda693710153531ffc40N.exe 36 PID 2088 wrote to memory of 2640 2088 04673533c7fbdda693710153531ffc40N.exe 36 PID 2088 wrote to memory of 2640 2088 04673533c7fbdda693710153531ffc40N.exe 36 PID 2088 wrote to memory of 2640 2088 04673533c7fbdda693710153531ffc40N.exe 36 PID 2088 wrote to memory of 2640 2088 04673533c7fbdda693710153531ffc40N.exe 36 PID 2088 wrote to memory of 2640 2088 04673533c7fbdda693710153531ffc40N.exe 36 PID 2088 wrote to memory of 2640 2088 04673533c7fbdda693710153531ffc40N.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\04673533c7fbdda693710153531ffc40N.exe"C:\Users\Admin\AppData\Local\Temp\04673533c7fbdda693710153531ffc40N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\04673533c7fbdda693710153531ffc40N.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jLaJdSNYRXiLXi.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jLaJdSNYRXiLXi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC0B0.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\04673533c7fbdda693710153531ffc40N.exe"C:\Users\Admin\AppData\Local\Temp\04673533c7fbdda693710153531ffc40N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD528879910f1523e7dd38cbd6498bc762e
SHA1e922398bbc98f985b226c5bf3501f252208e75cb
SHA256088eeb27955dba2e3af56d564d4ab6dcefa85e09d93a47258edd8f84b72d0406
SHA512e2649bbd4b5fc5b4e858540bb6fed0d0c28216cfae3ad30f00baa49b7157140b3ecfa63d0b3f50ba765a3e96565fe1171628018f89a735093208979cc665524a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J2QIGKM5GECCLFWGNQF3.temp
Filesize7KB
MD58b4bf8822c1ad0bc8cf51038c7a77116
SHA1aeafe223f1d405bd1066ce7e79e961b716f2e3f4
SHA2566cd6375db65a9614f52e792395c6ea3932a6c85cd52d4a137aba9c215b6f16b3
SHA5126544f46f51647e99c25f70c887d9b3911b0bec7cd3a06a80475018c474748dc73e966a1e3dd94e7a45b867255cad06b699241acde65449c887109d6c04dbc5bc