Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 16:28
Static task
static1
Behavioral task
behavioral1
Sample
LEVERSTYLESEPBUYORDERC248SH12.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
LEVERSTYLESEPBUYORDERC248SH12.exe
Resource
win10v2004-20240802-en
General
-
Target
LEVERSTYLESEPBUYORDERC248SH12.exe
-
Size
712KB
-
MD5
ac479057116a68ee8f38b431195ef055
-
SHA1
c5606141d06d0521b77a4abc36eb7cf1d227b1c5
-
SHA256
ea3924235164ac07fad6964220f412a07829d4e972eb6278365cc8dd4cf50b6f
-
SHA512
93057f2171071362126a9c666eb65e8e67ab820f361848d921a780be515e395835043fcb8377f853399a5c91f3ec72e30b65a31cf8dcc591eb18bb6f5621f344
-
SSDEEP
12288:RgRuHvlnozhZv7PcX5Tpbg2N+LJjv+BrT6GSiJAuL+swKeViwt5XHpf:ZdoH7e5TpEi+LJjv+BH5S4aCmiw55
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
manlikeyou88 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2840 powershell.exe 1804 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1788 set thread context of 2272 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LEVERSTYLESEPBUYORDERC248SH12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LEVERSTYLESEPBUYORDERC248SH12.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 2272 LEVERSTYLESEPBUYORDERC248SH12.exe 2272 LEVERSTYLESEPBUYORDERC248SH12.exe 1804 powershell.exe 2840 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1788 LEVERSTYLESEPBUYORDERC248SH12.exe Token: SeDebugPrivilege 2272 LEVERSTYLESEPBUYORDERC248SH12.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1788 wrote to memory of 1804 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 31 PID 1788 wrote to memory of 1804 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 31 PID 1788 wrote to memory of 1804 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 31 PID 1788 wrote to memory of 1804 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 31 PID 1788 wrote to memory of 2840 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 33 PID 1788 wrote to memory of 2840 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 33 PID 1788 wrote to memory of 2840 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 33 PID 1788 wrote to memory of 2840 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 33 PID 1788 wrote to memory of 2884 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 34 PID 1788 wrote to memory of 2884 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 34 PID 1788 wrote to memory of 2884 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 34 PID 1788 wrote to memory of 2884 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 34 PID 1788 wrote to memory of 2272 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 37 PID 1788 wrote to memory of 2272 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 37 PID 1788 wrote to memory of 2272 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 37 PID 1788 wrote to memory of 2272 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 37 PID 1788 wrote to memory of 2272 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 37 PID 1788 wrote to memory of 2272 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 37 PID 1788 wrote to memory of 2272 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 37 PID 1788 wrote to memory of 2272 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 37 PID 1788 wrote to memory of 2272 1788 LEVERSTYLESEPBUYORDERC248SH12.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\LEVERSTYLESEPBUYORDERC248SH12.exe"C:\Users\Admin\AppData\Local\Temp\LEVERSTYLESEPBUYORDERC248SH12.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\LEVERSTYLESEPBUYORDERC248SH12.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\orayjpgjlSJ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\orayjpgjlSJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB13.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\LEVERSTYLESEPBUYORDERC248SH12.exe"C:\Users\Admin\AppData\Local\Temp\LEVERSTYLESEPBUYORDERC248SH12.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dc6a6390cc76da52c2a4603ad71fe36e
SHA196c832de6defc398972c30ad05f14b975b5c826d
SHA25615f694d39e941fc1dd91cb8223c7835e37cff68e9ddc91ead1e851afde9bbdc9
SHA5124583564a7438ed0189341abc2a8e2f23e4035222cfc9ddd586c9043901cb5dbda942edc67f0e2cf52230cc7586df634a8538bda11b3e7580a448a2d97f09973e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\070E5H8SVMXUVNIKZXS9.temp
Filesize7KB
MD57d31b7db2150b227a5cf5340501dc778
SHA137b26ea8c423c3a798af298c45c93c53388bf62e
SHA256135bb88fb57fd1c1f9edf0e136c2090cbefbe383f4bbc2bca3f896b996d90dbe
SHA5126d57d1df6a82a0c06b500d61009991900c1039844e6feeb1172603048f98a0edae564b1f68adb78de2b4f4ccc706eb0d80981ad32b56af8c89d240a57358a663