Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 06:36
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ss.exe
Resource
win7-20240508-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
ss.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
ss.exe
-
Size
1.1MB
-
MD5
11e6631c7459a5364e6a0d83f26e2005
-
SHA1
64f3f0043d9c36c261c9ad2c89fab70cb8347760
-
SHA256
44e2650ff2fc7ba8efcbc0a975b2d5ca2ecee228c6ee27df07b215ee79f5b320
-
SHA512
e993cc2421061e2ec0d2c0cde3befc07375797075d77188719620ecf53aab344c76b8270e9f23b93dec115c2560162573e284b7c4ee48d210cc2147c31b086f9
-
SSDEEP
24576:jAHnh+eWsN3skA4RV1Hom2KXMmHa9palnMfWsG2+yr5:uh+ZkldoPK8Ya9eTsG2+q
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.pgsu.co.id - Port:
587 - Username:
[email protected] - Password:
Vecls16@Vezs - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ss.exedescription pid process target process PID 3012 set thread context of 2052 3012 ss.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2052 RegSvcs.exe 2052 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ss.exepid process 3012 ss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2052 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
ss.exepid process 3012 ss.exe 3012 ss.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
ss.exepid process 3012 ss.exe 3012 ss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2052 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ss.exedescription pid process target process PID 3012 wrote to memory of 2052 3012 ss.exe RegSvcs.exe PID 3012 wrote to memory of 2052 3012 ss.exe RegSvcs.exe PID 3012 wrote to memory of 2052 3012 ss.exe RegSvcs.exe PID 3012 wrote to memory of 2052 3012 ss.exe RegSvcs.exe PID 3012 wrote to memory of 2052 3012 ss.exe RegSvcs.exe PID 3012 wrote to memory of 2052 3012 ss.exe RegSvcs.exe PID 3012 wrote to memory of 2052 3012 ss.exe RegSvcs.exe PID 3012 wrote to memory of 2052 3012 ss.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ss.exe"C:\Users\Admin\AppData\Local\Temp\ss.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\ss.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2052-11-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2052-13-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2052-15-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2052-16-0x0000000073FBE000-0x0000000073FBF000-memory.dmpFilesize
4KB
-
memory/2052-17-0x0000000073FB0000-0x000000007469E000-memory.dmpFilesize
6.9MB
-
memory/2052-18-0x0000000073FBE000-0x0000000073FBF000-memory.dmpFilesize
4KB
-
memory/2052-19-0x0000000073FB0000-0x000000007469E000-memory.dmpFilesize
6.9MB
-
memory/3012-10-0x00000000000B0000-0x00000000000B4000-memory.dmpFilesize
16KB