Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
Resource
win10v2004-20240704-en
General
-
Target
1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
-
Size
1.1MB
-
MD5
9c39e700a95a5444c8d9e013547d615d
-
SHA1
a728c89f5afe447c63aa5ec80e8e70c98b105553
-
SHA256
1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d
-
SHA512
cc0aa255bc9284cd5f4038ce89c14736b7122a056d7b1911bfea4152535ae962b58d9e09f24a1b61057c7f70eed808da7b7f7423a083f8887a7023ffa88449f8
-
SSDEEP
24576:TqDEvCTbMWu7rQYlBQcBiT6rprG8a03u+YPUnOl:TTvC/MTQYxsWR7aco1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.jaszredony.hu - Port:
587 - Username:
[email protected] - Password:
jRedony77 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 1 IoCs
Processes:
name.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
Processes:
name.exepid process 2964 name.exe -
Loads dropped DLL 6 IoCs
Processes:
1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exeWerFault.exepid process 2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe" RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Local\directory\name.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
name.exedescription pid process target process PID 2964 set thread context of 2132 2964 name.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2648 2964 WerFault.exe name.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2132 RegSvcs.exe 2132 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
name.exepid process 2964 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2132 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exename.exepid process 2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe 2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe 2964 name.exe 2964 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exename.exepid process 2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe 2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe 2964 name.exe 2964 name.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exename.exedescription pid process target process PID 2152 wrote to memory of 2964 2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe name.exe PID 2152 wrote to memory of 2964 2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe name.exe PID 2152 wrote to memory of 2964 2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe name.exe PID 2152 wrote to memory of 2964 2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe name.exe PID 2964 wrote to memory of 2132 2964 name.exe RegSvcs.exe PID 2964 wrote to memory of 2132 2964 name.exe RegSvcs.exe PID 2964 wrote to memory of 2132 2964 name.exe RegSvcs.exe PID 2964 wrote to memory of 2132 2964 name.exe RegSvcs.exe PID 2964 wrote to memory of 2132 2964 name.exe RegSvcs.exe PID 2964 wrote to memory of 2132 2964 name.exe RegSvcs.exe PID 2964 wrote to memory of 2132 2964 name.exe RegSvcs.exe PID 2964 wrote to memory of 2132 2964 name.exe RegSvcs.exe PID 2964 wrote to memory of 2648 2964 name.exe WerFault.exe PID 2964 wrote to memory of 2648 2964 name.exe WerFault.exe PID 2964 wrote to memory of 2648 2964 name.exe WerFault.exe PID 2964 wrote to memory of 2648 2964 name.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe"C:\Users\Admin\AppData\Local\Temp\1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 3203⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MazatlFilesize
28KB
MD52cd06ce7bc2fd2b696e7569aa3790c92
SHA101fe1f337f50995cb1953c0920a1daa1f1a8a8ec
SHA25651b8f9fb8cd4751037819dca977f48553b7b2b7cb336239ce17acbac6ef3e20c
SHA5129574481907da09bf4b99744e7c44eb8a2313afebac2251ff73e6164b3c9bee56599a632dcdf1c85c035f3aa6b0381459fc2abab10ef3a2b888a0dbc475e1a949
-
C:\Users\Admin\AppData\Local\Temp\eupolyzoanFilesize
239KB
MD50c2d88d4ae629e8b403d133c5e7297a5
SHA13fb24bf9423b7582944b8e0568c0a2d977739d6a
SHA25632eafdcac101a0b34f3cd037498c59329d3a00940aacf3194c5473e05ea93324
SHA5120dfd6d1b27ef48e47470886e6dede0c220127d642acf8d0f258c767151a63d2db5c46ddbd2551e93364fdcb6bcc2ba309f17c1165ee3d79ae76ff9a6774f9327
-
\Users\Admin\AppData\Local\directory\name.exeFilesize
1.1MB
MD59c39e700a95a5444c8d9e013547d615d
SHA1a728c89f5afe447c63aa5ec80e8e70c98b105553
SHA2561adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d
SHA512cc0aa255bc9284cd5f4038ce89c14736b7122a056d7b1911bfea4152535ae962b58d9e09f24a1b61057c7f70eed808da7b7f7423a083f8887a7023ffa88449f8
-
memory/2132-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2132-34-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2132-32-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2132-39-0x0000000073D1E000-0x0000000073D1F000-memory.dmpFilesize
4KB
-
memory/2132-41-0x0000000073D10000-0x00000000743FE000-memory.dmpFilesize
6.9MB
-
memory/2132-43-0x0000000073D1E000-0x0000000073D1F000-memory.dmpFilesize
4KB
-
memory/2132-44-0x0000000073D10000-0x00000000743FE000-memory.dmpFilesize
6.9MB
-
memory/2152-10-0x00000000000B0000-0x00000000000B4000-memory.dmpFilesize
16KB