Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 16:41
Static task
static1
Behavioral task
behavioral1
Sample
POA1702108.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
POA1702108.exe
Resource
win10v2004-20240802-en
General
-
Target
POA1702108.exe
-
Size
1.3MB
-
MD5
8a0bb862ed0acef45107d21e4735e8e1
-
SHA1
af9661b6eb2ca83be84d013ffcaaf750a38d6afe
-
SHA256
987b95ebff5f1b9e47105ea5c3d5fafc841b1fba94ae40630d956de2654ebdc6
-
SHA512
79a6eb5f61697a36c09d38f4c5ac2da1d4458dcfd13617d28a2d222f3726d38278914421bfb59c2e140ca012ab32727c1d5fc6f3c77ba5341a1b10528de1e3be
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCkt8T6K1lWIWnb2aY48LVbOolTXYO:7JZoQrbTFZY1iaCkeblWIWb2aY48xT1
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonsubmerged.vbs nonsubmerged.exe -
Executes dropped EXE 1 IoCs
pid Process 2388 nonsubmerged.exe -
Loads dropped DLL 1 IoCs
pid Process 2104 POA1702108.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001946e-4.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2388 set thread context of 2448 2388 nonsubmerged.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nonsubmerged.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POA1702108.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2448 RegSvcs.exe 2448 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2388 nonsubmerged.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2448 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2388 2104 POA1702108.exe 30 PID 2104 wrote to memory of 2388 2104 POA1702108.exe 30 PID 2104 wrote to memory of 2388 2104 POA1702108.exe 30 PID 2104 wrote to memory of 2388 2104 POA1702108.exe 30 PID 2388 wrote to memory of 2448 2388 nonsubmerged.exe 31 PID 2388 wrote to memory of 2448 2388 nonsubmerged.exe 31 PID 2388 wrote to memory of 2448 2388 nonsubmerged.exe 31 PID 2388 wrote to memory of 2448 2388 nonsubmerged.exe 31 PID 2388 wrote to memory of 2448 2388 nonsubmerged.exe 31 PID 2388 wrote to memory of 2448 2388 nonsubmerged.exe 31 PID 2388 wrote to memory of 2448 2388 nonsubmerged.exe 31 PID 2388 wrote to memory of 2448 2388 nonsubmerged.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\POA1702108.exe"C:\Users\Admin\AppData\Local\Temp\POA1702108.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Hymenophyllaceae\nonsubmerged.exe"C:\Users\Admin\AppData\Local\Temp\POA1702108.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\POA1702108.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD58a0bb862ed0acef45107d21e4735e8e1
SHA1af9661b6eb2ca83be84d013ffcaaf750a38d6afe
SHA256987b95ebff5f1b9e47105ea5c3d5fafc841b1fba94ae40630d956de2654ebdc6
SHA51279a6eb5f61697a36c09d38f4c5ac2da1d4458dcfd13617d28a2d222f3726d38278914421bfb59c2e140ca012ab32727c1d5fc6f3c77ba5341a1b10528de1e3be