Overview

overview

10

Static

static

3

Payment co...�..exe

windows7-x64

10

Payment co...�..exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 23:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment copy‮f؜d؜p؜..exe

  • Size

    3.5MB

  • MD5

    d7a59e46c40861756826a869bc866676

  • SHA1

    c2a06b32807da54b28caaa2f3a12462ec85c5432

  • SHA256

    389885e224f05b3197bce92c8ce3f05a7e99561e3d1304d803e8404e46e71e4e

  • SHA512

    e02489e449d36508250c6665c6ef884d290323171b56c5bcf6a5fa0eb8e3748c6471f0ba1f64952da04e7552b4549418d1fc94a3059f120c4f0b3905ffdc14f8

  • SSDEEP

    12288:HmMEAmDDn5d0kLIH/5m9yOfx7BAEyrgJRBxMNeQQ04HHdGB1deWDEFq6jOx:HmM+G/0Aux7qEigTMNG00HkXZD6Ox

Score
10/10
agenttesladiscoveryevasionexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    u;4z3V.Iir1l

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment copy‮f؜d؜p؜..exe
    "C:\Users\Admin\AppData\Local\Temp\Payment copy‮f؜d؜p؜..exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment copyf؜d؜p؜..exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:732
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_guiwlpqe.hut.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/696-20-0x00007FFD80080000-0x00007FFD80B41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/696-1-0x00007FFD80083000-0x00007FFD80085000-memory.dmp

    Filesize

    8KB

    Download

  • memory/696-2-0x0000025CD1940000-0x0000025CD19D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/696-3-0x00007FFD80080000-0x00007FFD80B41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/696-0-0x0000025CCFC20000-0x0000025CCFC38000-memory.dmp

    Filesize

    96KB

    Download

  • memory/732-5-0x00007FFD80080000-0x00007FFD80B41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/732-6-0x00007FFD80080000-0x00007FFD80B41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/732-23-0x00007FFD80080000-0x00007FFD80B41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/732-12-0x000002C757340000-0x000002C757362000-memory.dmp

    Filesize

    136KB

    Download

  • memory/732-18-0x00007FFD80080000-0x00007FFD80B41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1864-4-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1864-19-0x0000000005810000-0x0000000005876000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1864-17-0x0000000005B90000-0x0000000006134000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1864-24-0x00000000069C0000-0x0000000006A52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1864-25-0x0000000006A60000-0x0000000006AB0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1864-26-0x00000000069B0000-0x00000000069BA000-memory.dmp

    Filesize

    40KB

    Download