Overview

overview

10

Static

static

3

Samsung PO...20.exe

windows7-x64

10

Samsung PO...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Samsung PO 20240920.exe

  • Size

    792KB

  • MD5

    5f573a3c4016eec9eef2c2637c984476

  • SHA1

    eb135221b70205be179f67acab53ab641e158c0a

  • SHA256

    458e5bd8e3508c15449bfd4c9931a59cd2a6a95ed9e6bb5b0090aa6641a29c77

  • SHA512

    32181511455b5a0dd630273a414adf78e8ee9574a2a4449f2f011023ab4e6ea653c96950bd88afe13d1a91809fd97cd14aee77ded16b7742232204592dd2c46f

  • SSDEEP

    12288:nmurGHGAMp6Oul4zXuDVRss2DLaSnkCYR6zJN711xWz/g1HF6CUM:mBGAMkrKz+V2D/nxFpM/gzkM

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Samsung PO 20240920.exe
    "C:\Users\Admin\AppData\Local\Temp\Samsung PO 20240920.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Samsung PO 20240920.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YexeAWuPXGyhPE.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2356
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YexeAWuPXGyhPE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF90E.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1156
    • C:\Users\Admin\AppData\Local\Temp\Samsung PO 20240920.exe
      "C:\Users\Admin\AppData\Local\Temp\Samsung PO 20240920.exe"
      2⤵
        PID:2888
      • C:\Users\Admin\AppData\Local\Temp\Samsung PO 20240920.exe
        "C:\Users\Admin\AppData\Local\Temp\Samsung PO 20240920.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpF90E.tmp
      Filesize

      1KB

      MD5

      9ecb83008ed0d9529f3a53492d7f9ca9

      SHA1

      795f0109c774cf8727f126a602629140a525bcfe

      SHA256

      9fc025482bf32817d08eee218d9a8b947bb42b11c66afb84481664cb3ae3a199

      SHA512

      b6257c6b4f69cd161532eafbb3b07a55c7f9e3c3f64f4a8d36c2ec5081a3728b9a566d5cf4fe35ad96e504a68604dc6a9fb3ff138665930bbb7537edc83f7f50

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      d732fa34913f66005dc40fa49b97d19a

      SHA1

      9f4595a4db68d4b77d4e4c580815a6b394dc7c13

      SHA256

      68284c47bc889ca30ef96a44769ba03229367ccefc7bd480991b17020d150a02

      SHA512

      9efc81ffbac84de30d5d99b2069ae7b6447f6b398cadf58950df658fe23d43999863068dac798c1c9d86c06142bfc238c78cdcf0fae38dd3d63500ef7a56dc4a

      Download Submit

    • memory/1600-4-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1600-31-0x0000000074EA0000-0x000000007558E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1600-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1600-5-0x0000000074EA0000-0x000000007558E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1600-6-0x0000000004D20000-0x0000000004DA2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1600-2-0x0000000074EA0000-0x000000007558E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1600-1-0x0000000000230000-0x00000000002FC000-memory.dmp

      Filesize

      816KB

      Download

    • memory/1600-3-0x0000000000220000-0x0000000000232000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2856-23-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2856-32-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2856-19-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2856-29-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2856-21-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2856-28-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2856-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2856-25-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download