Analysis
-
max time kernel
36s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-09-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
SPW AW25 - PO.010 SMS.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SPW AW25 - PO.010 SMS.exe
Resource
win10v2004-20240802-en
General
-
Target
SPW AW25 - PO.010 SMS.exe
-
Size
1.4MB
-
MD5
7c89b48a2752a771eb6457fe2fea1d8e
-
SHA1
afb602ef798b23f400fd3d474cb570aa781797c4
-
SHA256
3d1e16dec7f88b3ccdf7197c64a6eea6a7d3599c12f34893d60012ffd61f15ce
-
SHA512
9338a3817216563677573599d5dd3cacb4be084a2e46c77516d56a207ce7d8d06a376ea4be1a7863ffeb823ae803b891ef947cfb81d4813a52ce152038e97d48
-
SSDEEP
24576:OnpUwegOzvr+8J97vsJRx1osJYWDaK9rB6hjscMmQV5IPiMtWb05UaaYy6nnjqKh:OCri8H7vsjx1V15B6xscMmY6ivQUNEjF
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3064 powershell.exe 2648 powershell.exe 3016 powershell.exe 2120 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1568 set thread context of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 2900 set thread context of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPW AW25 - PO.010 SMS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPW AW25 - PO.010 SMS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPW AW25 - PO.010 SMS.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2748 schtasks.exe 2324 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2648 powershell.exe 3064 powershell.exe 3016 powershell.exe 2120 powershell.exe 2900 SPW AW25 - PO.010 SMS.exe 2900 SPW AW25 - PO.010 SMS.exe 2852 SPW AW25 - PO.010 SMS.exe 2852 SPW AW25 - PO.010 SMS.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 2900 SPW AW25 - PO.010 SMS.exe Token: SeDebugPrivilege 2852 SPW AW25 - PO.010 SMS.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 1568 wrote to memory of 3064 1568 SPW AW25 - PO.010 SMS.exe 29 PID 1568 wrote to memory of 3064 1568 SPW AW25 - PO.010 SMS.exe 29 PID 1568 wrote to memory of 3064 1568 SPW AW25 - PO.010 SMS.exe 29 PID 1568 wrote to memory of 3064 1568 SPW AW25 - PO.010 SMS.exe 29 PID 1568 wrote to memory of 2648 1568 SPW AW25 - PO.010 SMS.exe 31 PID 1568 wrote to memory of 2648 1568 SPW AW25 - PO.010 SMS.exe 31 PID 1568 wrote to memory of 2648 1568 SPW AW25 - PO.010 SMS.exe 31 PID 1568 wrote to memory of 2648 1568 SPW AW25 - PO.010 SMS.exe 31 PID 1568 wrote to memory of 2748 1568 SPW AW25 - PO.010 SMS.exe 33 PID 1568 wrote to memory of 2748 1568 SPW AW25 - PO.010 SMS.exe 33 PID 1568 wrote to memory of 2748 1568 SPW AW25 - PO.010 SMS.exe 33 PID 1568 wrote to memory of 2748 1568 SPW AW25 - PO.010 SMS.exe 33 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 1568 wrote to memory of 2900 1568 SPW AW25 - PO.010 SMS.exe 35 PID 2900 wrote to memory of 3016 2900 SPW AW25 - PO.010 SMS.exe 36 PID 2900 wrote to memory of 3016 2900 SPW AW25 - PO.010 SMS.exe 36 PID 2900 wrote to memory of 3016 2900 SPW AW25 - PO.010 SMS.exe 36 PID 2900 wrote to memory of 3016 2900 SPW AW25 - PO.010 SMS.exe 36 PID 2900 wrote to memory of 2120 2900 SPW AW25 - PO.010 SMS.exe 38 PID 2900 wrote to memory of 2120 2900 SPW AW25 - PO.010 SMS.exe 38 PID 2900 wrote to memory of 2120 2900 SPW AW25 - PO.010 SMS.exe 38 PID 2900 wrote to memory of 2120 2900 SPW AW25 - PO.010 SMS.exe 38 PID 2900 wrote to memory of 2324 2900 SPW AW25 - PO.010 SMS.exe 40 PID 2900 wrote to memory of 2324 2900 SPW AW25 - PO.010 SMS.exe 40 PID 2900 wrote to memory of 2324 2900 SPW AW25 - PO.010 SMS.exe 40 PID 2900 wrote to memory of 2324 2900 SPW AW25 - PO.010 SMS.exe 40 PID 2900 wrote to memory of 2528 2900 SPW AW25 - PO.010 SMS.exe 42 PID 2900 wrote to memory of 2528 2900 SPW AW25 - PO.010 SMS.exe 42 PID 2900 wrote to memory of 2528 2900 SPW AW25 - PO.010 SMS.exe 42 PID 2900 wrote to memory of 2528 2900 SPW AW25 - PO.010 SMS.exe 42 PID 2900 wrote to memory of 2528 2900 SPW AW25 - PO.010 SMS.exe 42 PID 2900 wrote to memory of 2528 2900 SPW AW25 - PO.010 SMS.exe 42 PID 2900 wrote to memory of 2528 2900 SPW AW25 - PO.010 SMS.exe 42 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43 PID 2900 wrote to memory of 2852 2900 SPW AW25 - PO.010 SMS.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\SPW AW25 - PO.010 SMS.exe"C:\Users\Admin\AppData\Local\Temp\SPW AW25 - PO.010 SMS.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SPW AW25 - PO.010 SMS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IbwIIBmUDWimTZ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IbwIIBmUDWimTZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5679.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\SPW AW25 - PO.010 SMS.exe"C:\Users\Admin\AppData\Local\Temp\SPW AW25 - PO.010 SMS.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SPW AW25 - PO.010 SMS.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wlBldyvi.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D23.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\SPW AW25 - PO.010 SMS.exe"C:\Users\Admin\AppData\Local\Temp\SPW AW25 - PO.010 SMS.exe"3⤵PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\SPW AW25 - PO.010 SMS.exe"C:\Users\Admin\AppData\Local\Temp\SPW AW25 - PO.010 SMS.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d011efaf5d6c41b0a9955b1a7f2aad52
SHA146668c611daa164450074047134a93ad6e3bc854
SHA256de233dbd8cd882af4ef8310a3e6f047cf7f97235d8101b3ce1255a47ac381620
SHA512632013319c567e427ce50f2b2b218f806d9d761fcbade4bb26bf3c09f1a03b0b2221e01b5e57b8fe98581bc74f58945c2c074db808e5d0ddbd9c4f1df3574caf
-
Filesize
1KB
MD56b9803616e6901a8e90c6f16cfc2e8e5
SHA185834419ff29a732148ad296037f2dfe0afe1dbf
SHA25659712af0b1385242f45701909a10b33ec23c3dda752c04033de88d374356d685
SHA5128cd7a826b22cc76f5502764fde1f0f9e591adb6ce4c082dae5ce3534f8e922def947d02b9908f03b79af9d79f3fde0029a3cd96fafdbfedea270bface44fa198
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5de3be3e8769d5763f0faad957721b206
SHA1634c071842801efe882d7a175891081f702ca678
SHA256be58364c3d2c4cbbe4a31a02998a39925523c426d96fa47deac1c469b6d563cc
SHA512916a2eb17fa324ecbd38f1c28e306311cc3f646bbc4aee21c60bdc54851995e098edc6f1ed978c7ba3de1d5df65e80c2933d9adc0437b3c2b9007bd302d89453
-
Filesize
1.4MB
MD57c89b48a2752a771eb6457fe2fea1d8e
SHA1afb602ef798b23f400fd3d474cb570aa781797c4
SHA2563d1e16dec7f88b3ccdf7197c64a6eea6a7d3599c12f34893d60012ffd61f15ce
SHA5129338a3817216563677573599d5dd3cacb4be084a2e46c77516d56a207ce7d8d06a376ea4be1a7863ffeb823ae803b891ef947cfb81d4813a52ce152038e97d48