Overview

overview

10

Static

static

3

Purchase order.exe

windows7-x64

10

Purchase order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase order.exe

  • Size

    1.4MB

  • MD5

    4c363afc82b0757d2723ff1287ab85de

  • SHA1

    eae78234d3125edb5e161641b1c61dfab9456a46

  • SHA256

    0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719

  • SHA512

    c202cb6c3b8bef7cb556c335595c03e7da412e00466491e3bbbec15391bec8250d944ada1eb4b4e5d6215d39c2f28996a025a6de78243570382cf188744d8ac3

  • SSDEEP

    24576:szSWNKs08nmbdXiQsGgJF2B+xaJ/ncPUoN0eaxn7wymHinDVw2iTYYuX0J:gSPGyXi0gbKCikPPN0fxn7NmHinDVw2e

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IxumRsOtTdrVAu.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3000
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp88EE.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2496
    • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wlBldyvi.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:676
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9DD.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2932
      • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp88EE.tmp
    Filesize

    1KB

    MD5

    c1600ff54ec469399fdac4c69fd2750c

    SHA1

    7d59f36beeaa8bf2ed1f141d5b1fa24b5edb7495

    SHA256

    9e92924f3ec9d8685338ce94281e5dcc573fdb7792e47ff20994cb1411e1fe32

    SHA512

    31258d5e802eab16062df0980d9c6935890b1e4bc178f2a422ce764d1212a129832fe34a7f62b9671633bf1fe6e711b8c67cc12be8bc791e05aaddffaac1cf46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB9DD.tmp
    Filesize

    1KB

    MD5

    f2318ecbef5c4dff0abd8b7a31f5fc99

    SHA1

    6dd09a37a9ba3a3e4250c385a0958b33b60f7c6f

    SHA256

    01d01f1ddcc0091eb1a23c577f6ee6ebcafa8f0a59f5f784d582a1b153b39cfa

    SHA512

    74d84df05f6e5329171e822d5a1fd2e4fdd8fcb0e59d5e69b26f6e1cf94d007c86d2d9458f220f0c216d6df0b8ffc7add8f63d55e7e1f3b14ae71a2de69e9244

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    e1a1ece94b7d1db06477f24a305df861

    SHA1

    fd84f43fef76beb40ccd94751c954080444696de

    SHA256

    906cccb58af1b445f0496469d674f771c314bffbe2b27d76d577630c9cc951c1

    SHA512

    949531cd728cc6fdb3be867cd7394f9eb714ead09277497e3881f5a478c4cf4b7962a530a3a99a9c475139f7e14a2488526dc5ef2eb6b9208459189ad5cca511

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wlBldyvi.exe
    Filesize

    1.4MB

    MD5

    4c363afc82b0757d2723ff1287ab85de

    SHA1

    eae78234d3125edb5e161641b1c61dfab9456a46

    SHA256

    0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719

    SHA512

    c202cb6c3b8bef7cb556c335595c03e7da412e00466491e3bbbec15391bec8250d944ada1eb4b4e5d6215d39c2f28996a025a6de78243570382cf188744d8ac3

    Download Submit

  • memory/1048-52-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1048-61-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1048-64-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1048-62-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1048-54-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1048-56-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1048-58-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1048-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2580-21-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2580-33-0x0000000004EB0000-0x0000000004F50000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2580-28-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2580-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2580-23-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2580-31-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2580-20-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2580-35-0x00000000053E0000-0x0000000005462000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2580-25-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2580-29-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2580-34-0x00000000003B0000-0x00000000003C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2920-6-0x0000000005650000-0x0000000005764000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2920-32-0x0000000074E80000-0x000000007556E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2920-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-1-0x0000000000900000-0x0000000000A6A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2920-2-0x0000000074E80000-0x000000007556E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2920-3-0x00000000003F0000-0x0000000000402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2920-4-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-5-0x0000000074E80000-0x000000007556E000-memory.dmp

    Filesize

    6.9MB

    Download