Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
MVALIADOSREQ1900064.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MVALIADOSREQ1900064.exe
Resource
win10v2004-20240802-en
General
-
Target
MVALIADOSREQ1900064.exe
-
Size
1.1MB
-
MD5
d0cad8abc1084efccf82cbe747104c3f
-
SHA1
fb30f4cb31782c78d24b55071c618070b84c4b4e
-
SHA256
a17cae5463618c9758dd98802353f8172e343dcad936a44c5f1d1fe5ff7813f6
-
SHA512
1633f369d0a94f7000403ff7762087923b34fd3292fc27ed3f153aa590fdb29e92eb2429890c9b959625ee7c8e328d95886802225492b1c6e1849e04cceb9eeb
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCamxvrmQbae7IkAKZt62:7JZoQrbTFZY1iaCamFiQJ7wK
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
phoenixblowers.com - Port:
587 - Username:
[email protected] - Password:
Officeback@2022# - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 api.ipify.org 16 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2940 set thread context of 4572 2940 MVALIADOSREQ1900064.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MVALIADOSREQ1900064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4572 RegSvcs.exe 4572 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2940 MVALIADOSREQ1900064.exe 2940 MVALIADOSREQ1900064.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4572 RegSvcs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2940 wrote to memory of 4572 2940 MVALIADOSREQ1900064.exe 89 PID 2940 wrote to memory of 4572 2940 MVALIADOSREQ1900064.exe 89 PID 2940 wrote to memory of 4572 2940 MVALIADOSREQ1900064.exe 89 PID 2940 wrote to memory of 4572 2940 MVALIADOSREQ1900064.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\MVALIADOSREQ1900064.exe"C:\Users\Admin\AppData\Local\Temp\MVALIADOSREQ1900064.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\MVALIADOSREQ1900064.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:81⤵PID:1540