Overview

overview

10

Static

static

3

HD4 DEMURR...PY.exe

windows7-x64

10

HD4 DEMURR...PY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HD4 DEMURRAGE INVOICE COPY.exe

  • Size

    765KB

  • MD5

    a120a32f95b04048e4c35b5c2fa36fde

  • SHA1

    4d6e2d8d982a40d812891f8923f590babd30bf45

  • SHA256

    eeb42a7de4e8a6099fd91f5f6fbea62b8c5990b3fa0efe054e61904d023e8965

  • SHA512

    85aed661acfbad525132812f12b3eaa2138fc8741c44b184dde6af4239f80ef63f927254c5cc5e8fdaa514b9fa5f585ada2567bb61b902af77e5e0f1ecde133a

  • SSDEEP

    12288:aTI03sW/XDRTKVrxt4PqMT3w9ccWKCmCPqGH7PA61m7tPoz2J4BwGATV5Rx9yn9B:OI8sWNmrtqbw9gKCsGHzA61m7NkwGAZp

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5862304010:AAGELNW7Uh-qnFDDQucOIsNATlN1Btw8R-8/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HD4 DEMURRAGE INVOICE COPY.exe
    "C:\Users\Admin\AppData\Local\Temp\HD4 DEMURRAGE INVOICE COPY.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HD4 DEMURRAGE INVOICE COPY.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bCwnQBWcIqj.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bCwnQBWcIqj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2D.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2204
    • C:\Users\Admin\AppData\Local\Temp\HD4 DEMURRAGE INVOICE COPY.exe
      "C:\Users\Admin\AppData\Local\Temp\HD4 DEMURRAGE INVOICE COPY.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF2D.tmp
    Filesize

    1KB

    MD5

    6aaca310cb948a68f0a070c7ae5cfa02

    SHA1

    7c9acb7a98cf528e42486b12405b394e9da09c20

    SHA256

    cb3f927e1701838e36e579e4144940c327fd44729db6fb534eb1993d17322e55

    SHA512

    d06bfae3d9a2d11d32999dcaceeadf1b4c602bcb1df107bfec2c5fd4077dc41523d0d9cc279476f7c9dd43cd6ef65b8dc927fe3b4b1073f427b5f58d6eddbe98

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2SSSZQY8F3U6GH3IFLHR.temp
    Filesize

    7KB

    MD5

    8640649c97990b285b011070b603c5ca

    SHA1

    3192daf6058f6b7050159078aa367ca369d46ff2

    SHA256

    77281a7c89adcfd5ab54c8c630542c0705d348afe52c94c8c120b43a9887d170

    SHA512

    45aab5aaa83ffa01c188a66155903ba9caae9730bb6d10c1c3b70754cb0a5c57bbce945c94861f2df0e478c35db5752f37ab40bede6ce7e10da93820279c41a9

    Download Submit

  • memory/1904-4-0x0000000000A10000-0x0000000000A28000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1904-3-0x0000000000D00000-0x0000000000D9E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1904-0-0x000000007468E000-0x000000007468F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1904-5-0x000000007468E000-0x000000007468F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1904-6-0x0000000074680000-0x0000000074D6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1904-7-0x00000000056C0000-0x0000000005742000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1904-2-0x0000000074680000-0x0000000074D6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1904-1-0x0000000000F20000-0x0000000000FE6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/1904-32-0x0000000074680000-0x0000000074D6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2644-26-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-29-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-31-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2644-30-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-22-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-24-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-20-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download