Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe
Resource
win10v2004-20240802-en
General
-
Target
0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe
-
Size
884KB
-
MD5
e3de21f408c475de4044a48366e6f9df
-
SHA1
141c5fe1cb84ec263cd3ba5942a5371d43a83be0
-
SHA256
0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac
-
SHA512
dcb54797dd32455a2d270420258ba8ae5c1fad8592aa851f981278cc94fa51abbe77be9d598bc750acdd73e14d18924c4952452c09a826f977c9197bf637b10d
-
SSDEEP
24576:5nhbxoW/evadyCjA5h0icc/g+vXEe2s0O8BD48rWHFDW+1RUrg:5dxdey9+Ac/yeL0O8BD48rWHFDW+1Rug
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.azmaplast.com - Port:
587 - Username:
[email protected] - Password:
QAZqaz123@@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2784 powershell.exe 2636 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2816 set thread context of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 1516 RegSvcs.exe 1516 RegSvcs.exe 2636 powershell.exe 2784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe Token: SeDebugPrivilege 1516 RegSvcs.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2784 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 30 PID 2816 wrote to memory of 2784 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 30 PID 2816 wrote to memory of 2784 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 30 PID 2816 wrote to memory of 2784 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 30 PID 2816 wrote to memory of 2636 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 32 PID 2816 wrote to memory of 2636 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 32 PID 2816 wrote to memory of 2636 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 32 PID 2816 wrote to memory of 2636 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 32 PID 2816 wrote to memory of 2708 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 34 PID 2816 wrote to memory of 2708 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 34 PID 2816 wrote to memory of 2708 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 34 PID 2816 wrote to memory of 2708 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 34 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36 PID 2816 wrote to memory of 1516 2816 0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe"C:\Users\Admin\AppData\Local\Temp\0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DKwBct.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DKwBct" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2B3.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bacc7a3aeced34a05a5042d47c922463
SHA10b7b0246604546ee33bd71c389b5c0e93aaff926
SHA256b3a33a5b1a44a7a260302351f4b4bc20256d215b2f61ba78b899f727859192e6
SHA51283e19c655a2d95795e8bbffa46e82c99d0dda061510a907355d68c5c6b34adc0c64a62ddaabe27fb585678dda76fde68e88acb123b7005173ba300b8cada3ea0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5289d329276f5473af5415b3f860e2d53
SHA15ac932d8cc8b238de6dd4ab71ace4fdb67101476
SHA2563474df8348ed6f49f910f1bb814c8192f16a896405a061983ef3fd2e9f6ba237
SHA512f64ef691331dca662cca469a3f3d78ce4f8978d8ba6684137c2413333f7a84246bcf9a953e01237c5cefea2f866de9423f94d29ccfa0dc5d1db2dd37bbf16fd7