Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 14:33
Static task
static1
Behavioral task
behavioral1
Sample
76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
Resource
win10v2004-20240508-en
General
-
Target
76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
-
Size
1.1MB
-
MD5
3b1a4595328f7a92df02b7a116bc4f40
-
SHA1
cbd3e5a4e18bca01678b6d844ada7764cbd4a209
-
SHA256
76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf
-
SHA512
590c07160fd86816573c5c80148c20392a0e2faa3fa4725f34ffe87b9c65b258e1a39cf744a3f3e4f7f920fb471b24f75acf35abeec56d5a1cbb35b0be7da28f
-
SSDEEP
24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8aG3n5Bb3dKcuSD:sTvC/MTQYxsWR7ae5/Kcv
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.jaszredony.hu - Port:
587 - Username:
[email protected] - Password:
jRedony77 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 1 IoCs
Processes:
name.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
Processes:
name.exepid process 2924 name.exe -
Loads dropped DLL 1 IoCs
Processes:
76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exepid process 3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe" RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Local\directory\name.exe autoit_exe behavioral1/memory/2924-29-0x0000000000090000-0x00000000001B6000-memory.dmp autoit_exe behavioral1/memory/2924-36-0x0000000000090000-0x00000000001B6000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
name.exedescription pid process target process PID 2924 set thread context of 2556 2924 name.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2556 RegSvcs.exe 2556 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
name.exepid process 2924 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2556 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exename.exepid process 3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe 3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe 2924 name.exe 2924 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exename.exepid process 3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe 3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe 2924 name.exe 2924 name.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exename.exedescription pid process target process PID 3056 wrote to memory of 2924 3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe name.exe PID 3056 wrote to memory of 2924 3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe name.exe PID 3056 wrote to memory of 2924 3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe name.exe PID 3056 wrote to memory of 2924 3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe name.exe PID 2924 wrote to memory of 2556 2924 name.exe RegSvcs.exe PID 2924 wrote to memory of 2556 2924 name.exe RegSvcs.exe PID 2924 wrote to memory of 2556 2924 name.exe RegSvcs.exe PID 2924 wrote to memory of 2556 2924 name.exe RegSvcs.exe PID 2924 wrote to memory of 2556 2924 name.exe RegSvcs.exe PID 2924 wrote to memory of 2556 2924 name.exe RegSvcs.exe PID 2924 wrote to memory of 2556 2924 name.exe RegSvcs.exe PID 2924 wrote to memory of 2556 2924 name.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe"C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jaillessFilesize
28KB
MD52aaa7b7930cddc427cf97397fae04c51
SHA13f6d95a1329a2ea064c9427b6139323c3f8eece5
SHA25672aa831e1cb8286c8fba0408aba377dd57717735e326529f950a96a8d36afaca
SHA512b2540c50e492cde805b6277bf216a8840ce6061adc2d37641b5a95279edda3a2f4e23da3dfc5b0964f6b99e0f9bb9bd055bc96a2957ddce87f3051d74c1ac449
-
C:\Users\Admin\AppData\Local\Temp\reindulgingFilesize
239KB
MD564365f14bf8c2965cfc7a2cc25eb9c22
SHA1f15f3895247ea0cd2373d36c7494885c3b9cb91e
SHA256e63c7d4475ad0d2319c0e49e7e6d16489ec9106d163b0005807e3fdbc013168d
SHA5124d2250c3f85cdaaa1028ad790f2b3e5e1af568185c58d5b548575e9353f8b929b99bb83b3fe1032b3082efd5276d4c108028b851a63a8e6aade49617ddd74d7f
-
\Users\Admin\AppData\Local\directory\name.exeFilesize
1.1MB
MD53b1a4595328f7a92df02b7a116bc4f40
SHA1cbd3e5a4e18bca01678b6d844ada7764cbd4a209
SHA25676605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf
SHA512590c07160fd86816573c5c80148c20392a0e2faa3fa4725f34ffe87b9c65b258e1a39cf744a3f3e4f7f920fb471b24f75acf35abeec56d5a1cbb35b0be7da28f
-
memory/2556-34-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2556-31-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2556-35-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2556-37-0x00000000748AE000-0x00000000748AF000-memory.dmpFilesize
4KB
-
memory/2556-38-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/2556-40-0x00000000748AE000-0x00000000748AF000-memory.dmpFilesize
4KB
-
memory/2556-41-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/2924-29-0x0000000000090000-0x00000000001B6000-memory.dmpFilesize
1.1MB
-
memory/2924-36-0x0000000000090000-0x00000000001B6000-memory.dmpFilesize
1.1MB
-
memory/3056-10-0x0000000000120000-0x0000000000124000-memory.dmpFilesize
16KB