Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 05:41
Behavioral task
behavioral1
Sample
Updated Pricelist.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Updated Pricelist.exe
Resource
win10v2004-20240802-en
General
-
Target
Updated Pricelist.exe
-
Size
583KB
-
MD5
bd50b8389578702100c55e976e636d2c
-
SHA1
04a8de3509219f30312a372dd365a84a2f853efe
-
SHA256
317d4b1683e217b6af80de147bbeb8581255f320dd11ca5c13b0796f837d42aa
-
SHA512
2ba298f9f2ddfac90aefd6587749f65002495bb3a8e7f7e5947ca7b7f654133329ca0ac9b69aae7c631155f6f865e4503350df6612c965fd22b3017d4d6e9543
-
SSDEEP
12288:LXe9PPlowWX0t6mOQwg1Qd15CcYk0We1FfCvz+1YhOyIIHMsulkf:ShloDX0XOf4oZhfIIHMgf
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mahesh-ent.com - Port:
587 - Username:
[email protected] - Password:
M@hesh3981 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
resource yara_rule behavioral2/memory/920-0-0x0000000000B50000-0x0000000000CA4000-memory.dmp upx behavioral2/memory/920-10-0x0000000000B50000-0x0000000000CA4000-memory.dmp upx -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 api.ipify.org 14 api.ipify.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/920-10-0x0000000000B50000-0x0000000000CA4000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 920 set thread context of 2948 920 Updated Pricelist.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updated Pricelist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2948 RegSvcs.exe 2948 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 920 Updated Pricelist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2948 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 920 Updated Pricelist.exe 920 Updated Pricelist.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 920 Updated Pricelist.exe 920 Updated Pricelist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2948 RegSvcs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 920 wrote to memory of 2948 920 Updated Pricelist.exe 93 PID 920 wrote to memory of 2948 920 Updated Pricelist.exe 93 PID 920 wrote to memory of 2948 920 Updated Pricelist.exe 93 PID 920 wrote to memory of 2948 920 Updated Pricelist.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Updated Pricelist.exe"C:\Users\Admin\AppData\Local\Temp\Updated Pricelist.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Updated Pricelist.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3964,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:81⤵PID:3752