![]() ![]() The behavior is similar to the Behavior IOCs as the previous campaign in this report and can be found in Appendix A. This method tries to fool AV software because the executable belongs to Microsoft, however what actually executes in the memory is Agent Tesla. It executes the binary C:\Windows\Microsoft.NET\Framework\v9\RegSvcs.exe and injects its malicious code into it. This variant is very similar to the previous one except it doesn’t perform the initial delayed execution but instead tries to avoid detection in a different manner, by using a code injection technique known as Process Hollowing. The file is shared in relations to “delay in the shipment due to the Coronavirus disease”. ![]()
0 Comments
Leave a Reply. |