Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
PO-3500036071.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
PO-3500036071.exe
Resource
win10v2004-20240802-en
General
-
Target
PO-3500036071.exe
-
Size
614KB
-
MD5
9a6fb05aecb4f4ce83d11d948cfbbf55
-
SHA1
a1cb615284130925b1259d5a6881923b0eb2e58c
-
SHA256
f40124a3e533151b64738625eb9cfa05433e6f2c9487729bcb1d71267948564f
-
SHA512
677701d1d1f6bed146bfe146ab48097ffad8a6433c35833c7bab97b053cf283f6da1c48edf58083917dde052c9cbea1dbfcc7788e5c80661b07da93d1387c528
-
SSDEEP
12288:+eoXEF2apKhcvZ94ixSjty6NpN4T/zw2M+YIB/RbtyzDB1qgJ:HoAPEi/Ujs6g/zJB32B1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
manlikeyou88 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2232 powershell.exe 2928 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1820 set thread context of 2708 1820 PO-3500036071.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PO-3500036071.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PO-3500036071.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2936 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2708 PO-3500036071.exe 2708 PO-3500036071.exe 2928 powershell.exe 2232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2708 PO-3500036071.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2232 1820 PO-3500036071.exe 28 PID 1820 wrote to memory of 2232 1820 PO-3500036071.exe 28 PID 1820 wrote to memory of 2232 1820 PO-3500036071.exe 28 PID 1820 wrote to memory of 2232 1820 PO-3500036071.exe 28 PID 1820 wrote to memory of 2928 1820 PO-3500036071.exe 30 PID 1820 wrote to memory of 2928 1820 PO-3500036071.exe 30 PID 1820 wrote to memory of 2928 1820 PO-3500036071.exe 30 PID 1820 wrote to memory of 2928 1820 PO-3500036071.exe 30 PID 1820 wrote to memory of 2936 1820 PO-3500036071.exe 31 PID 1820 wrote to memory of 2936 1820 PO-3500036071.exe 31 PID 1820 wrote to memory of 2936 1820 PO-3500036071.exe 31 PID 1820 wrote to memory of 2936 1820 PO-3500036071.exe 31 PID 1820 wrote to memory of 2708 1820 PO-3500036071.exe 34 PID 1820 wrote to memory of 2708 1820 PO-3500036071.exe 34 PID 1820 wrote to memory of 2708 1820 PO-3500036071.exe 34 PID 1820 wrote to memory of 2708 1820 PO-3500036071.exe 34 PID 1820 wrote to memory of 2708 1820 PO-3500036071.exe 34 PID 1820 wrote to memory of 2708 1820 PO-3500036071.exe 34 PID 1820 wrote to memory of 2708 1820 PO-3500036071.exe 34 PID 1820 wrote to memory of 2708 1820 PO-3500036071.exe 34 PID 1820 wrote to memory of 2708 1820 PO-3500036071.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-3500036071.exe"C:\Users\Admin\AppData\Local\Temp\PO-3500036071.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO-3500036071.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OWwqxnskD.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OWwqxnskD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp165E.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\PO-3500036071.exe"C:\Users\Admin\AppData\Local\Temp\PO-3500036071.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baed590cfe3f02db12d6885a7e043f60
SHA1acc6ed25095dd0afe41148c45bd44918a9089430
SHA256eb571e574894d49f9f0fb732e15c90e36eee696e2c19afe828a88abbf0f0845e
SHA512a122d3697cd85aae10387f529af7a098a9aa288221399c0ec010112fecf679a3b9a9dd53152119172477f9ac0228151bbd59e8cb6741528c28fb1ad1329f02e7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P0CE5WDN0P46T15YBIN1.temp
Filesize7KB
MD5f1160943974cfa6d79232a5fe49eeecb
SHA16d1dfd3bc22d94e4feea9ce624351a87d16e6b35
SHA2566790153a5660aebc54c095e162026b431c2e7e7398569a80612b8e8dbe80eec4
SHA51242fc99e8ced1fc4904eaf6c17275a2f05ef4849580bbbe60ff0ac6e3bbdda29953805e483924190f55cdacc29eb9857e98812686a83755b9db36b53411588749