Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04-01-2025 18:00
General
-
Target
gj7umd.ps1
-
Size
1.2MB
-
MD5
ffb44667070a4a921897a26bbfc17b77
-
SHA1
8cde3094e0794a6f7a50b927a390f559df5888f5
-
SHA256
8cdb70f9f1f38b8853dfad62d84618bb4f10acce41e9f0fddab422c2c253c994
-
SHA512
e3f8ccd2f39db18d949f14a7255431e4006b9e2c0903f843cbe6740d65b5438a8c6a4caabc0d7bea563f25e4bf9e7599d67c3a2d57fc5a982715bc7725cb825b
-
SSDEEP
24576:L3Ady3x3chk7TKYi+gHrG4ceFOjenP09dUkJmInb2:oy0k7TbmrKWYUkP2
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\gj7umd.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 3843⤵
- Loads dropped DLL
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5298d53f4432e90e9f369a83d12c3cf6d
SHA101e72bdc62529e83569b5d970ff69e2217b260b1
SHA256cab4edfa1324f7ef5ff203cf2c2b9fdb5bd0e68156164b95f86016a3ce2f2f8a
SHA512be2dc430d4de6984113439d543676a3f2ff2a7d06c3a551dcd12a619259ee3a777b10d55cc8fd7c625a5b9e864d623e0a88bef7750e15c61154a109297788c8c
-
Filesize
945KB
MD5915a6f3675442c388110fb11db36620a
SHA145a8cb74384a6e91bd154f75b79fc6af99abb935
SHA256c93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2
SHA5127e5acbc50998ba6ff79ec9b401c192166b6385e0af44839adf93531226fe009accd1d9f02fa647d300042e2d39d92954795c73ae08ae367881f0b1fcbb77c545
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
280KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
344KB
-
Filesize
336KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
16KB