Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 13:58

General

  • Target

    wvP.exe

  • Size

    722KB

  • MD5

    b33d730136cae062a912aebbdf3364d4

  • SHA1

    2aa45f4bff155e5f2b717c3108ed60eb4e82f7d8

  • SHA256

    83bd0492ad4599669d45f30993c0f6758940875008ee00a2b460f85566e1afee

  • SHA512

    8a5a0654b6afae7d791b4c4c1236b28925a7e0d25d04e9b82f26c73e95a6abd7173067a7f81167ec6107ed9b3dcbb2004b2feab4c77d2c4f9c9ba17893554924

  • SSDEEP

    12288:MWYIPXjxannnHg2tJVf4E/c3xVnBv66wHVKk8zbHPdeXfiD/KzKkjbD5T:MWYIPFannnHg2dQ8cx6LKkkbvdeQK+K

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5419172676:AAGNCqb7KIw9SSEGRFeD_N3VWL9qYPGdqaw/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wvP.exe
    "C:\Users\Admin\AppData\Local\Temp\wvP.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\wvP.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vfkShVG.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vfkShVG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2820
    • C:\Users\Admin\AppData\Local\Temp\wvP.exe
      "C:\Users\Admin\AppData\Local\Temp\wvP.exe"
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cashout\cashout.exe

    Filesize

    722KB

    MD5

    b33d730136cae062a912aebbdf3364d4

    SHA1

    2aa45f4bff155e5f2b717c3108ed60eb4e82f7d8

    SHA256

    83bd0492ad4599669d45f30993c0f6758940875008ee00a2b460f85566e1afee

    SHA512

    8a5a0654b6afae7d791b4c4c1236b28925a7e0d25d04e9b82f26c73e95a6abd7173067a7f81167ec6107ed9b3dcbb2004b2feab4c77d2c4f9c9ba17893554924

  • C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp

    Filesize

    1KB

    MD5

    16201b9b6a687487d03c5da2cc5db3a5

    SHA1

    3a5f4e93a54c6bf21742f219d104f239123d4656

    SHA256

    ada0cf7a8ca11316723b804e585f8ac002c57a69cf9b57bfc729cb3f1a6c1b2e

    SHA512

    372c6e01f07b744f8f5a0547354800d86c15a2152f18241db751c499ff17dc399c75d81c4bf69461cc4a4fc2beebb00ac7862990e149378f4604c78b14fc1e57

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    44d328de3fcbd8536dae04df5ed280dd

    SHA1

    4138af75377d36f4697d75fea97da5ae8c6612bf

    SHA256

    d57830d8ce4112b5f3b3db62c88fde69518c9d698c4fceceab22ea34855238f8

    SHA512

    180bdbbcb148630443a34ef964b86fd24756516f315c31e74e959854c84d9509e0007e098ffd3eae56791f78c2c14e8664e300271940e8057d9bdbe02238dec9

  • memory/2348-33-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/2348-1-0x0000000000FA0000-0x0000000001058000-memory.dmp

    Filesize

    736KB

  • memory/2348-2-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/2348-3-0x00000000003C0000-0x00000000003E0000-memory.dmp

    Filesize

    128KB

  • memory/2348-4-0x00000000741AE000-0x00000000741AF000-memory.dmp

    Filesize

    4KB

  • memory/2348-5-0x00000000741A0000-0x000000007488E000-memory.dmp

    Filesize

    6.9MB

  • memory/2348-6-0x00000000003F0000-0x0000000000404000-memory.dmp

    Filesize

    80KB

  • memory/2348-7-0x00000000059D0000-0x0000000005A56000-memory.dmp

    Filesize

    536KB

  • memory/2348-0-0x00000000741AE000-0x00000000741AF000-memory.dmp

    Filesize

    4KB

  • memory/2736-30-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2736-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2736-24-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2736-22-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2736-20-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2736-26-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2736-29-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2736-32-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB