Analysis
-
max time kernel
109s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 14:04
Static task
static1
Behavioral task
behavioral1
Sample
MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe
Resource
win7-20240903-en
General
-
Target
MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe
-
Size
1.5MB
-
MD5
71d5fa862ccb25961f293701bf906f2a
-
SHA1
ec1df45020154d9b8c98d2fc62f469b09d4b8af2
-
SHA256
8f878566e3390e97ac715ed0ae3707f18514254fc75fe0c92aafa411de5af202
-
SHA512
528e17f8acb21d9d4e3b2e13b4a66493b21718a6dc37f22f83a669e1bea81607a368ac736c22ad3148fb8155319d1c65f58c2d0d66dedfbc712bbf781ddcea7b
-
SSDEEP
24576:N5EmXFtKaL4/oFe5T9yyXYfP1ijXdaekMzjc0FFBTsYcxQl/nVcAoBhpDmowj:NPVt/LZeJbInQRaekkj8Ql/nVcF/
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Drops startup file 1 IoCs
Processes:
pluff.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pluff.vbs pluff.exe -
Executes dropped EXE 1 IoCs
Processes:
pluff.exepid Process 1680 pluff.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.ipify.org 15 api.ipify.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x000e000000023b19-5.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pluff.exedescription pid Process procid_target PID 1680 set thread context of 2548 1680 pluff.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MVV ALIADO - S-REQ-19-00064 40ft 1x20.exepluff.exeRegSvcs.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pluff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid Process 2548 RegSvcs.exe 2548 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pluff.exepid Process 1680 pluff.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 2548 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
MVV ALIADO - S-REQ-19-00064 40ft 1x20.exepluff.exepid Process 5028 MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe 5028 MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe 5028 MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe 1680 pluff.exe 1680 pluff.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
MVV ALIADO - S-REQ-19-00064 40ft 1x20.exepluff.exepid Process 5028 MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe 5028 MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe 5028 MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe 1680 pluff.exe 1680 pluff.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
MVV ALIADO - S-REQ-19-00064 40ft 1x20.exepluff.exedescription pid Process procid_target PID 5028 wrote to memory of 1680 5028 MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe 86 PID 5028 wrote to memory of 1680 5028 MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe 86 PID 5028 wrote to memory of 1680 5028 MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe 86 PID 1680 wrote to memory of 2548 1680 pluff.exe 89 PID 1680 wrote to memory of 2548 1680 pluff.exe 89 PID 1680 wrote to memory of 2548 1680 pluff.exe 89 PID 1680 wrote to memory of 2548 1680 pluff.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"C:\Users\Admin\AppData\Local\Temp\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\prespecialist\pluff.exe"C:\Users\Admin\AppData\Local\Temp\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD57f03f49f34d4bfa99ace0bc253bf0d26
SHA18a858b2346d079d832c08e70063558f1463c4926
SHA256d4a651a6b0cac20570654b857cbb9e4f3790bfc5e15fda135cb1e70f636cd4dd
SHA512cd892a7112b496de7e3c595e77838a00ac182370cd3492ecf1c5dbef62afdbe1e3a031266703a73bf28e34b8950049aee412a6616875500c654f9f58e4efcb1d
-
Filesize
1.5MB
MD571d5fa862ccb25961f293701bf906f2a
SHA1ec1df45020154d9b8c98d2fc62f469b09d4b8af2
SHA2568f878566e3390e97ac715ed0ae3707f18514254fc75fe0c92aafa411de5af202
SHA512528e17f8acb21d9d4e3b2e13b4a66493b21718a6dc37f22f83a669e1bea81607a368ac736c22ad3148fb8155319d1c65f58c2d0d66dedfbc712bbf781ddcea7b