Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe
Resource
win7-20240903-en
General
-
Target
3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe
-
Size
553KB
-
MD5
9696450d184ac26fbebff14339311e0e
-
SHA1
7f39f6b5ba8f9874242b4d821bd13c1b8d45544c
-
SHA256
3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534
-
SHA512
9d3801148e2c938e0cf90de06aca6493d34b377b143e6941daac77955b4e48cc88be254058a93029aef31771f2be30942750fb93f397d84c7f23c790ae64adce
-
SSDEEP
6144:CpY5xwJSajAqUCkOCqxxx4NJn/omgtqBtLX6WkSM:JcSa4Bqt4NJ/omgcHX6VP
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
1qpxxBP5AbHZ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2624 created 3440 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 56 PID 5084 created 3440 5084 Ref.exe 56 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Item.vbs 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Item.vbs Ref.exe -
Executes dropped EXE 1 IoCs
pid Process 5084 Ref.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 api.ipify.org 20 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2624 set thread context of 904 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 87 PID 5084 set thread context of 464 5084 Ref.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ref.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 464 InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 904 InstallUtil.exe 904 InstallUtil.exe 5084 Ref.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe Token: SeDebugPrivilege 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe Token: SeDebugPrivilege 904 InstallUtil.exe Token: SeDebugPrivilege 5084 Ref.exe Token: SeDebugPrivilege 5084 Ref.exe Token: SeDebugPrivilege 464 InstallUtil.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2624 wrote to memory of 5084 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 86 PID 2624 wrote to memory of 5084 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 86 PID 2624 wrote to memory of 5084 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 86 PID 2624 wrote to memory of 904 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 87 PID 2624 wrote to memory of 904 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 87 PID 2624 wrote to memory of 904 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 87 PID 2624 wrote to memory of 904 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 87 PID 2624 wrote to memory of 904 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 87 PID 2624 wrote to memory of 904 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 87 PID 2624 wrote to memory of 904 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 87 PID 2624 wrote to memory of 904 2624 3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe 87 PID 5084 wrote to memory of 464 5084 Ref.exe 94 PID 5084 wrote to memory of 464 5084 Ref.exe 94 PID 5084 wrote to memory of 464 5084 Ref.exe 94 PID 5084 wrote to memory of 464 5084 Ref.exe 94 PID 5084 wrote to memory of 464 5084 Ref.exe 94 PID 5084 wrote to memory of 464 5084 Ref.exe 94 PID 5084 wrote to memory of 464 5084 Ref.exe 94 PID 5084 wrote to memory of 464 5084 Ref.exe 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe"C:\Users\Admin\AppData\Local\Temp\3f53aed02e3a0f3f353d1f644c769c768e9ea9ce3dbeeb708e8af3ee98b4b534.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\Ref.exe"C:\Users\Admin\AppData\Local\Temp\Ref.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD509d6a4bbf1c2b63b79ee2e15ff6ba692
SHA13b4f242f1b41d602dfa7a38c772fa9c56f658eb3
SHA2569e887e21b114cfd3cf2f6a5e6f9e384412ef9d5744f0db71778105cd4bf9ddb0
SHA5121f7a0056b6bf3e6e06dafdcf224dcfdf8902a43a73d72c56e0ee5c3fdf7a7cdc07a818a3aa4848cd86a7e3518cf13a8eaf34ded77d0239c02a32d81adc8c1abd
-
Filesize
79B
MD55cc6340ecfdd2252048d5726e4e4a3d3
SHA1b625b1c7737b69e244a53fffc04e5952b1151727
SHA256063d636ae20ea2b438e2c13e130d0f1848361eb30019208e2da7c0aaaeb3c17e
SHA512a1c53dfbb21a87762d3d4753dede1dea63df88f520273de74ccfb4a522e97608b13e33e88c7ff78b5ac1a4887fdfac07641a3d66d50ebf8390cfd7149f5a4536
-
Filesize
1.8MB
MD5ab3146b84c2c6a25fe5616cfdda6f38e
SHA1d23f152b52f8470dbd11fe9d457f18514fff2cae
SHA256007c3b33e51ead18001534f9aaafe2977ac05ee5da7322b5512d4668c349322d
SHA512100a3281cfeb10b0f5fbcfcc6d06b35adc34e7228f6f945e8b8ba0cd1c3cdd9fd8d3b8282ebb3f8cfb395b77bb94ae6e86b3abf4693068a01da0259b8896f6d4