Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
18-09-2024 03:21
General
-
Target
Payment Advice - Advice Ref[A2bpo3ZZeVwj] Priority payment.exe
-
Size
1.3MB
-
MD5
a8371130da53aa606d8c72201192ee47
-
SHA1
3190b84eae50e45b78de3fa23b0de2541d73ea0b
-
SHA256
da049cf547f66a701590bd333a9d61d0f7c448e3b798018f3d50497cc94445c7
-
SHA512
0d849384b92eb807cfdcb1834d72b1506a5b73bd2c3fae09e291a71b0b0572737e1a2ceae0704b7ed89b3fdec386a516c5a1e907682e24caf0dc0c356ab44acb
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCzpQOAjXcup8W6xRnhI7Eoc7ehSc/cP:7JZoQrbTFZY1iaCzeOGsW89P/oNSz
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref[A2bpo3ZZeVwj] Priority payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref[A2bpo3ZZeVwj] Priority payment.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref[A2bpo3ZZeVwj] Priority payment.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref[A2bpo3ZZeVwj] Priority payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref[A2bpo3ZZeVwj] Priority payment.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref[A2bpo3ZZeVwj] Priority payment.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD5d0b27150625d7551910e1b51d7587da7
SHA11a9213aae33b6d1dd0960fe1daed081c903e8774
SHA2569d14583b1f839e2b8b3fb391459abfd301b434b0636cc5ca981c779959cffbef
SHA51245df7b66b229ba1d54fd661e6d829bf40bd041b3ec370f2d8eaff98d5a04fab412adb992a0d52d1864b69a520b0c972341697effb475efa776201240bca2fcfd
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
4KB
-
Filesize
336KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
328KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
280KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4.0MB
-
Filesize
4.0MB