Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 20:02
Static task
static1
Behavioral task
behavioral1
Sample
hkaP5RPCGNDVq3Z.exe
Resource
win7v20201028
General
-
Target
hkaP5RPCGNDVq3Z.exe
-
Size
1.6MB
-
MD5
07556e1af1f43f7dd42d32d188187e4a
-
SHA1
42110c04869726694a2537e05f987039cd829ac0
-
SHA256
a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd
-
SHA512
433457cb0e908bc673e952639f2df8da6991f2aed7e9c2cf98bcc677452bb8c5d92ccf8267ed7ca38227122ffcc6633bf40a39f2b1eaaf4262221e45899f094d
Malware Config
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sales01@seedwellresources.xyz - Password:
MARYolanmauluogwo@ever
Extracted
matiex
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sales01@seedwellresources.xyz - Password:
MARYolanmauluogwo@ever
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sales01@seedwellresources.xyz - Password:
MARYolanmauluogwo@ever
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Matiex Main Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3276-13-0x0000000000400000-0x0000000000562000-memory.dmp family_matiex behavioral2/memory/3276-14-0x000000000040104C-mapping.dmp family_matiex C:\Users\Admin\AppData\Local\Temp\LOGO AND PICTURES.exe family_matiex C:\Users\Admin\AppData\Local\Temp\LOGO AND PICTURES.exe family_matiex -
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3276-13-0x0000000000400000-0x0000000000562000-memory.dmp family_agenttesla behavioral2/memory/3276-14-0x000000000040104C-mapping.dmp family_agenttesla C:\Users\Admin\AppData\Local\Temp\PO456724392021.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\PO2345714382021.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\PO2345714382021.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\PO456724392021.exe family_agenttesla -
NirSoft MailPassView 7 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3276-13-0x0000000000400000-0x0000000000562000-memory.dmp MailPassView behavioral2/memory/3276-14-0x000000000040104C-mapping.dmp MailPassView C:\Users\Admin\AppData\Local\Temp\Pictures.exe MailPassView C:\Users\Admin\AppData\Local\Temp\Pictures.exe MailPassView behavioral2/memory/2228-45-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2228-46-0x0000000000411654-mapping.dmp MailPassView behavioral2/memory/2228-47-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3276-13-0x0000000000400000-0x0000000000562000-memory.dmp WebBrowserPassView behavioral2/memory/3276-14-0x000000000040104C-mapping.dmp WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\Pictures.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\Pictures.exe WebBrowserPassView behavioral2/memory/2564-50-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2564-51-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral2/memory/2564-52-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
Processes:
resource yara_rule behavioral2/memory/3276-13-0x0000000000400000-0x0000000000562000-memory.dmp Nirsoft behavioral2/memory/3276-14-0x000000000040104C-mapping.dmp Nirsoft C:\Users\Admin\AppData\Local\Temp\Pictures.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\Pictures.exe Nirsoft behavioral2/memory/2228-45-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2228-46-0x0000000000411654-mapping.dmp Nirsoft behavioral2/memory/2228-47-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2564-50-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2564-51-0x0000000000442628-mapping.dmp Nirsoft behavioral2/memory/2564-52-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
LOGO AND PICTURES.exePictures.exePO456724392021.exePO2345714382021.exepid process 4300 LOGO AND PICTURES.exe 1868 Pictures.exe 4376 PO456724392021.exe 4340 PO2345714382021.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 freegeoip.app 23 freegeoip.app 25 whatismyipaddress.com 19 checkip.dyndns.org -
Suspicious use of SetThreadContext 3 IoCs
Processes:
hkaP5RPCGNDVq3Z.exePictures.exedescription pid process target process PID 4644 set thread context of 3276 4644 hkaP5RPCGNDVq3Z.exe hkaP5RPCGNDVq3Z.exe PID 1868 set thread context of 2228 1868 Pictures.exe vbc.exe PID 1868 set thread context of 2564 1868 Pictures.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
hkaP5RPCGNDVq3Z.exePO456724392021.exePO2345714382021.exeLOGO AND PICTURES.exevbc.exePictures.exepid process 4644 hkaP5RPCGNDVq3Z.exe 4376 PO456724392021.exe 4376 PO456724392021.exe 4340 PO2345714382021.exe 4340 PO2345714382021.exe 4300 LOGO AND PICTURES.exe 2564 vbc.exe 2564 vbc.exe 1868 Pictures.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
hkaP5RPCGNDVq3Z.exePO456724392021.exePO2345714382021.exeLOGO AND PICTURES.exePictures.exedescription pid process Token: SeDebugPrivilege 4644 hkaP5RPCGNDVq3Z.exe Token: SeDebugPrivilege 4376 PO456724392021.exe Token: SeDebugPrivilege 4340 PO2345714382021.exe Token: SeDebugPrivilege 4300 LOGO AND PICTURES.exe Token: SeDebugPrivilege 1868 Pictures.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
hkaP5RPCGNDVq3Z.exePictures.exeLOGO AND PICTURES.exepid process 3276 hkaP5RPCGNDVq3Z.exe 1868 Pictures.exe 4300 LOGO AND PICTURES.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
hkaP5RPCGNDVq3Z.exehkaP5RPCGNDVq3Z.exeLOGO AND PICTURES.exePictures.exedescription pid process target process PID 4644 wrote to memory of 4080 4644 hkaP5RPCGNDVq3Z.exe schtasks.exe PID 4644 wrote to memory of 4080 4644 hkaP5RPCGNDVq3Z.exe schtasks.exe PID 4644 wrote to memory of 4080 4644 hkaP5RPCGNDVq3Z.exe schtasks.exe PID 4644 wrote to memory of 3276 4644 hkaP5RPCGNDVq3Z.exe hkaP5RPCGNDVq3Z.exe PID 4644 wrote to memory of 3276 4644 hkaP5RPCGNDVq3Z.exe hkaP5RPCGNDVq3Z.exe PID 4644 wrote to memory of 3276 4644 hkaP5RPCGNDVq3Z.exe hkaP5RPCGNDVq3Z.exe PID 4644 wrote to memory of 3276 4644 hkaP5RPCGNDVq3Z.exe hkaP5RPCGNDVq3Z.exe PID 4644 wrote to memory of 3276 4644 hkaP5RPCGNDVq3Z.exe hkaP5RPCGNDVq3Z.exe PID 4644 wrote to memory of 3276 4644 hkaP5RPCGNDVq3Z.exe hkaP5RPCGNDVq3Z.exe PID 4644 wrote to memory of 3276 4644 hkaP5RPCGNDVq3Z.exe hkaP5RPCGNDVq3Z.exe PID 3276 wrote to memory of 4300 3276 hkaP5RPCGNDVq3Z.exe LOGO AND PICTURES.exe PID 3276 wrote to memory of 4300 3276 hkaP5RPCGNDVq3Z.exe LOGO AND PICTURES.exe PID 3276 wrote to memory of 4300 3276 hkaP5RPCGNDVq3Z.exe LOGO AND PICTURES.exe PID 3276 wrote to memory of 1868 3276 hkaP5RPCGNDVq3Z.exe Pictures.exe PID 3276 wrote to memory of 1868 3276 hkaP5RPCGNDVq3Z.exe Pictures.exe PID 3276 wrote to memory of 1868 3276 hkaP5RPCGNDVq3Z.exe Pictures.exe PID 3276 wrote to memory of 4376 3276 hkaP5RPCGNDVq3Z.exe PO456724392021.exe PID 3276 wrote to memory of 4376 3276 hkaP5RPCGNDVq3Z.exe PO456724392021.exe PID 3276 wrote to memory of 4376 3276 hkaP5RPCGNDVq3Z.exe PO456724392021.exe PID 3276 wrote to memory of 4340 3276 hkaP5RPCGNDVq3Z.exe PO2345714382021.exe PID 3276 wrote to memory of 4340 3276 hkaP5RPCGNDVq3Z.exe PO2345714382021.exe PID 3276 wrote to memory of 4340 3276 hkaP5RPCGNDVq3Z.exe PO2345714382021.exe PID 4300 wrote to memory of 1720 4300 LOGO AND PICTURES.exe netsh.exe PID 4300 wrote to memory of 1720 4300 LOGO AND PICTURES.exe netsh.exe PID 4300 wrote to memory of 1720 4300 LOGO AND PICTURES.exe netsh.exe PID 1868 wrote to memory of 2228 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2228 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2228 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2228 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2228 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2228 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2228 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2228 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2228 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2564 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2564 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2564 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2564 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2564 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2564 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2564 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2564 1868 Pictures.exe vbc.exe PID 1868 wrote to memory of 2564 1868 Pictures.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hkaP5RPCGNDVq3Z.exe"C:\Users\Admin\AppData\Local\Temp\hkaP5RPCGNDVq3Z.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcKKBKdU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD61D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\hkaP5RPCGNDVq3Z.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LOGO AND PICTURES.exe"C:\Users\Admin\AppData\Local\Temp\LOGO AND PICTURES.exe" 03⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile4⤵
-
C:\Users\Admin\AppData\Local\Temp\Pictures.exe"C:\Users\Admin\AppData\Local\Temp\Pictures.exe" 03⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\PO456724392021.exe"C:\Users\Admin\AppData\Local\Temp\PO456724392021.exe" 03⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PO2345714382021.exe"C:\Users\Admin\AppData\Local\Temp\PO2345714382021.exe" 03⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\LOGO AND PICTURES.exeMD5
d9001138c5119d936b70bf77e136afbe
SHA1cfa2dbff8527715eaad00e91bd8955a8fffc1224
SHA2569ae5ef3fd4feea105c1ed3f1e69fd4fa328e8f29f1937097280f7eee7f8d749e
SHA5120187ec1ede0022daa4021a72d871ca0b7694b312bdba1c31bf3c0667ce0255c51e9880170a4b5226e63c2bf48f53b8071f12b08c106b6b82eb1d5389c3f9d576
-
C:\Users\Admin\AppData\Local\Temp\LOGO AND PICTURES.exeMD5
d9001138c5119d936b70bf77e136afbe
SHA1cfa2dbff8527715eaad00e91bd8955a8fffc1224
SHA2569ae5ef3fd4feea105c1ed3f1e69fd4fa328e8f29f1937097280f7eee7f8d749e
SHA5120187ec1ede0022daa4021a72d871ca0b7694b312bdba1c31bf3c0667ce0255c51e9880170a4b5226e63c2bf48f53b8071f12b08c106b6b82eb1d5389c3f9d576
-
C:\Users\Admin\AppData\Local\Temp\PO2345714382021.exeMD5
9b79de8e3ad21f14e71e55cfa6ae4727
SHA13c2066345874febafe281bbde952d4f32d2ed53a
SHA25656bd25acdb97ce17f8351b926c48a4f63e348c40f6c5913219b0745d99f6b31d
SHA512f922be9228baa1dab85a5cfacfafbb6e8c919009bb843b6cdba0c2e24f6abfcbe26417046be248ccb41f820111633fdee7c6ea5865a2fbcc3bcf22c52a7208e6
-
C:\Users\Admin\AppData\Local\Temp\PO2345714382021.exeMD5
9b79de8e3ad21f14e71e55cfa6ae4727
SHA13c2066345874febafe281bbde952d4f32d2ed53a
SHA25656bd25acdb97ce17f8351b926c48a4f63e348c40f6c5913219b0745d99f6b31d
SHA512f922be9228baa1dab85a5cfacfafbb6e8c919009bb843b6cdba0c2e24f6abfcbe26417046be248ccb41f820111633fdee7c6ea5865a2fbcc3bcf22c52a7208e6
-
C:\Users\Admin\AppData\Local\Temp\PO456724392021.exeMD5
f38e2d474c075eff35b4ef81fdaca650
SHA113f869037c80be3cd4736c5f67431161c79e5970
SHA256f9ee81b7def0b0008cef43847fb9ba520c0b57a49e7a71b47ff8d6ee1fec4298
SHA512b57a699e88f2ed2d83901be6362663bfa98944a95e74f0e8d36622868a7ad04f9d557b617bd71a9a69fd7b7b1e7143edeaaff0a5e54d81311f78f8497fdea649
-
C:\Users\Admin\AppData\Local\Temp\PO456724392021.exeMD5
f38e2d474c075eff35b4ef81fdaca650
SHA113f869037c80be3cd4736c5f67431161c79e5970
SHA256f9ee81b7def0b0008cef43847fb9ba520c0b57a49e7a71b47ff8d6ee1fec4298
SHA512b57a699e88f2ed2d83901be6362663bfa98944a95e74f0e8d36622868a7ad04f9d557b617bd71a9a69fd7b7b1e7143edeaaff0a5e54d81311f78f8497fdea649
-
C:\Users\Admin\AppData\Local\Temp\Pictures.exeMD5
25146e9c5ecd498dd17ba01e6cfaeb24
SHA14171900e4d1291c7a7cdb33adc655ecb12334a4f
SHA2565207f3d079a52017e7977296c9eba782d3d5eae5adec94fa38acdd88c184496d
SHA51218374c6619b5f3d310db43e5f81db1333bdc9dc4086910fe2724a406d445ccbf5b16463b9341fbe718b2aae9e929a2302655f3964eb64b47f2d80418b46e478f
-
C:\Users\Admin\AppData\Local\Temp\Pictures.exeMD5
25146e9c5ecd498dd17ba01e6cfaeb24
SHA14171900e4d1291c7a7cdb33adc655ecb12334a4f
SHA2565207f3d079a52017e7977296c9eba782d3d5eae5adec94fa38acdd88c184496d
SHA51218374c6619b5f3d310db43e5f81db1333bdc9dc4086910fe2724a406d445ccbf5b16463b9341fbe718b2aae9e929a2302655f3964eb64b47f2d80418b46e478f
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtMD5
f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\tmpD61D.tmpMD5
a9ef8df8a002b67d0de581b20a75d654
SHA136c1a3a35444dcc2a27181da703dc2918d2d398e
SHA2567178b70b7d0a94a6c60ec08cc47b7fb83393c7104a43be698a27e0bd6092a8f1
SHA5129ea4ce8caa8972015c219b5eb2d3f4625e34d1fd6e0e6c375b65d2f0b77535bca2ff585049902d8196f9d268e94ec160d140c6dbe40a59c5b5666ff14d4c95d7
-
memory/1720-43-0x0000000000000000-mapping.dmp
-
memory/1868-21-0x0000000000000000-mapping.dmp
-
memory/2228-47-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2228-45-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2228-46-0x0000000000411654-mapping.dmp
-
memory/2564-50-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2564-51-0x0000000000442628-mapping.dmp
-
memory/2564-52-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3276-13-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/3276-14-0x000000000040104C-mapping.dmp
-
memory/4080-11-0x0000000000000000-mapping.dmp
-
memory/4300-38-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/4300-30-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/4300-22-0x00000000732B0000-0x000000007399E000-memory.dmpFilesize
6.9MB
-
memory/4300-44-0x0000000007290000-0x0000000007291000-memory.dmpFilesize
4KB
-
memory/4300-18-0x0000000000000000-mapping.dmp
-
memory/4340-28-0x0000000000000000-mapping.dmp
-
memory/4376-23-0x0000000000000000-mapping.dmp
-
memory/4376-35-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/4376-29-0x00000000732B0000-0x000000007399E000-memory.dmpFilesize
6.9MB
-
memory/4376-48-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/4644-5-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/4644-6-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/4644-7-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/4644-8-0x00000000053D0000-0x00000000053DE000-memory.dmpFilesize
56KB
-
memory/4644-9-0x0000000007B10000-0x0000000007CD5000-memory.dmpFilesize
1.8MB
-
memory/4644-10-0x0000000007CE0000-0x0000000007CE1000-memory.dmpFilesize
4KB
-
memory/4644-2-0x0000000073E30000-0x000000007451E000-memory.dmpFilesize
6.9MB
-
memory/4644-3-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB