Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 13:58
Static task
static1
Behavioral task
behavioral1
Sample
wvP.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
wvP.exe
Resource
win10v2004-20240802-en
General
-
Target
wvP.exe
-
Size
722KB
-
MD5
b33d730136cae062a912aebbdf3364d4
-
SHA1
2aa45f4bff155e5f2b717c3108ed60eb4e82f7d8
-
SHA256
83bd0492ad4599669d45f30993c0f6758940875008ee00a2b460f85566e1afee
-
SHA512
8a5a0654b6afae7d791b4c4c1236b28925a7e0d25d04e9b82f26c73e95a6abd7173067a7f81167ec6107ed9b3dcbb2004b2feab4c77d2c4f9c9ba17893554924
-
SSDEEP
12288:MWYIPXjxannnHg2tJVf4E/c3xVnBv66wHVKk8zbHPdeXfiD/KzKkjbD5T:MWYIPFannnHg2dQ8cx6LKkkbvdeQK+K
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5419172676:AAGNCqb7KIw9SSEGRFeD_N3VWL9qYPGdqaw/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2192 powershell.exe 2744 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\cashout = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cashout\\cashout.exe" wvP.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2348 set thread context of 2736 2348 wvP.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2820 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2348 wvP.exe 2348 wvP.exe 2348 wvP.exe 2736 wvP.exe 2736 wvP.exe 2192 powershell.exe 2744 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2348 wvP.exe Token: SeDebugPrivilege 2736 wvP.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2736 wvP.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2192 2348 wvP.exe 31 PID 2348 wrote to memory of 2192 2348 wvP.exe 31 PID 2348 wrote to memory of 2192 2348 wvP.exe 31 PID 2348 wrote to memory of 2192 2348 wvP.exe 31 PID 2348 wrote to memory of 2744 2348 wvP.exe 33 PID 2348 wrote to memory of 2744 2348 wvP.exe 33 PID 2348 wrote to memory of 2744 2348 wvP.exe 33 PID 2348 wrote to memory of 2744 2348 wvP.exe 33 PID 2348 wrote to memory of 2820 2348 wvP.exe 34 PID 2348 wrote to memory of 2820 2348 wvP.exe 34 PID 2348 wrote to memory of 2820 2348 wvP.exe 34 PID 2348 wrote to memory of 2820 2348 wvP.exe 34 PID 2348 wrote to memory of 2736 2348 wvP.exe 37 PID 2348 wrote to memory of 2736 2348 wvP.exe 37 PID 2348 wrote to memory of 2736 2348 wvP.exe 37 PID 2348 wrote to memory of 2736 2348 wvP.exe 37 PID 2348 wrote to memory of 2736 2348 wvP.exe 37 PID 2348 wrote to memory of 2736 2348 wvP.exe 37 PID 2348 wrote to memory of 2736 2348 wvP.exe 37 PID 2348 wrote to memory of 2736 2348 wvP.exe 37 PID 2348 wrote to memory of 2736 2348 wvP.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\wvP.exe"C:\Users\Admin\AppData\Local\Temp\wvP.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\wvP.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vfkShVG.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vfkShVG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\wvP.exe"C:\Users\Admin\AppData\Local\Temp\wvP.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722KB
MD5b33d730136cae062a912aebbdf3364d4
SHA12aa45f4bff155e5f2b717c3108ed60eb4e82f7d8
SHA25683bd0492ad4599669d45f30993c0f6758940875008ee00a2b460f85566e1afee
SHA5128a5a0654b6afae7d791b4c4c1236b28925a7e0d25d04e9b82f26c73e95a6abd7173067a7f81167ec6107ed9b3dcbb2004b2feab4c77d2c4f9c9ba17893554924
-
Filesize
1KB
MD516201b9b6a687487d03c5da2cc5db3a5
SHA13a5f4e93a54c6bf21742f219d104f239123d4656
SHA256ada0cf7a8ca11316723b804e585f8ac002c57a69cf9b57bfc729cb3f1a6c1b2e
SHA512372c6e01f07b744f8f5a0547354800d86c15a2152f18241db751c499ff17dc399c75d81c4bf69461cc4a4fc2beebb00ac7862990e149378f4604c78b14fc1e57
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD544d328de3fcbd8536dae04df5ed280dd
SHA14138af75377d36f4697d75fea97da5ae8c6612bf
SHA256d57830d8ce4112b5f3b3db62c88fde69518c9d698c4fceceab22ea34855238f8
SHA512180bdbbcb148630443a34ef964b86fd24756516f315c31e74e959854c84d9509e0007e098ffd3eae56791f78c2c14e8664e300271940e8057d9bdbe02238dec9