Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 01:54
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ss.exe
Resource
win7-20240611-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
ss.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ss.exe
-
Size
1.0MB
-
MD5
6c10bc159358093f6e827b170bcddeda
-
SHA1
1e9109ffb469e5c1fa2535c74f50c6afb7f99d66
-
SHA256
664c0c690a791c1a863702884b3b3bd0aead7fabbd3ff6e46cff58f53c1cd3ff
-
SHA512
d2f781e2152b341e086573007cd06b18142be352a8470749526ec6c50da615989eef6c1313ff10b01d5f46a7c5691377f81cbd5d91ae0361f3a7a010c3c71b4d
-
SSDEEP
24576:kAHnh+eWsN3skA4RV1Hom2KXMmHaswyH8aNpmq5:zh+ZkldoPK8YasbNz
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.pgsu.co.id - Port:
587 - Username:
[email protected] - Password:
Vecls16@Vezs - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ss.exedescription pid process target process PID 4200 set thread context of 3444 4200 ss.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3444 RegSvcs.exe 3444 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ss.exepid process 4200 ss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3444 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
ss.exepid process 4200 ss.exe 4200 ss.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
ss.exepid process 4200 ss.exe 4200 ss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3444 RegSvcs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ss.exedescription pid process target process PID 4200 wrote to memory of 3444 4200 ss.exe RegSvcs.exe PID 4200 wrote to memory of 3444 4200 ss.exe RegSvcs.exe PID 4200 wrote to memory of 3444 4200 ss.exe RegSvcs.exe PID 4200 wrote to memory of 3444 4200 ss.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ss.exe"C:\Users\Admin\AppData\Local\Temp\ss.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\ss.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3444-11-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/3444-12-0x000000007527E000-0x000000007527F000-memory.dmpFilesize
4KB
-
memory/3444-13-0x0000000005FF0000-0x0000000006594000-memory.dmpFilesize
5.6MB
-
memory/3444-14-0x0000000005AB0000-0x0000000005B16000-memory.dmpFilesize
408KB
-
memory/3444-15-0x0000000075270000-0x0000000075A20000-memory.dmpFilesize
7.7MB
-
memory/3444-16-0x00000000069F0000-0x0000000006A40000-memory.dmpFilesize
320KB
-
memory/3444-17-0x0000000006AE0000-0x0000000006B72000-memory.dmpFilesize
584KB
-
memory/3444-18-0x0000000006AD0000-0x0000000006ADA000-memory.dmpFilesize
40KB
-
memory/3444-19-0x000000007527E000-0x000000007527F000-memory.dmpFilesize
4KB
-
memory/3444-20-0x0000000075270000-0x0000000075A20000-memory.dmpFilesize
7.7MB
-
memory/4200-10-0x0000000001F30000-0x0000000001F34000-memory.dmpFilesize
16KB