Analysis
-
max time kernel
102s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18-10-2021 09:57
Static task
static1
Behavioral task
behavioral1
Sample
0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe
Resource
win10-en-20211014
General
-
Target
0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe
-
Size
1002KB
-
MD5
c486642bfd8b58a3a417a77277412111
-
SHA1
71ef2fff00f5b2697189693f051b7671e55d1631
-
SHA256
0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0
-
SHA512
481b65dfd609245637a12ec01ead81ebffe92be3728b1fbda4662f272872c8df1da0b8423d6ae9f1c0f13b998440f921810a19fc1a85460d03cf227ab7cb0988
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.lko-import.de - Port:
587 - Username:
[email protected] - Password:
TVMHSiW5
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/924-121-0x0000000000940000-0x0000000000F6C000-memory.dmp family_agenttesla behavioral1/memory/924-122-0x00000000009775BE-mapping.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
lvkf.pifpid process 3848 lvkf.pif -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\eBbIsjQ = "C:\\Users\\Admin\\AppData\\Roaming\\eBbIsjQ\\eBbIsjQ.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lvkf.pifdescription pid process target process PID 3848 set thread context of 924 3848 lvkf.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegSvcs.exepid process 924 RegSvcs.exe 924 RegSvcs.exe 924 RegSvcs.exe 924 RegSvcs.exe 924 RegSvcs.exe 924 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 924 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 924 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exelvkf.pifdescription pid process target process PID 1812 wrote to memory of 3848 1812 0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe lvkf.pif PID 1812 wrote to memory of 3848 1812 0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe lvkf.pif PID 1812 wrote to memory of 3848 1812 0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe lvkf.pif PID 3848 wrote to memory of 924 3848 lvkf.pif RegSvcs.exe PID 3848 wrote to memory of 924 3848 lvkf.pif RegSvcs.exe PID 3848 wrote to memory of 924 3848 lvkf.pif RegSvcs.exe PID 3848 wrote to memory of 924 3848 lvkf.pif RegSvcs.exe PID 3848 wrote to memory of 924 3848 lvkf.pif RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe"C:\Users\Admin\AppData\Local\Temp\0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\15152143\lvkf.pif"C:\Users\Admin\AppData\Local\Temp\15152143\lvkf.pif" ovlxrej.ckp2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\15152143\deappl.icoMD5
192c9999cc655925c430bf095045155f
SHA13dfc783742b675a39961682a39b2cc73559a0758
SHA256b84c7ef1d2bb5453ed5af71b83e9dae7e2b5746a111fc701c01ce8072324928b
SHA5128b7e4fef15debbdd96ebcb5bf5799008a74ed5749c1223c802ef8acc254f0c47c2b21b366a3110b3bfb3145dcde9b2ebab5179a7bdf12b5b5e7228bcc2b30fe4
-
C:\Users\Admin\AppData\Local\Temp\15152143\fsmrjcfko.fkwMD5
e05ee06f2dac2ee5d341234f7190a053
SHA12803ac7187aefbc625724687bd955a8cf684ffce
SHA2563ef26160bf468d7de40a893e08f42e3ca051649082d65b9e300cc0d835619f1a
SHA512b960137d4a76850f075a920b56f4e554cfc30ba1a76b1594d9e4926fe342fe37bd076a213e00b828bf709fe872427dbcbe5ee92b4c2858675ab1ae5c4cd791ab
-
C:\Users\Admin\AppData\Local\Temp\15152143\lvkf.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
C:\Users\Admin\AppData\Local\Temp\15152143\lvkf.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
C:\Users\Admin\AppData\Local\Temp\15152143\ovlxrej.ckpMD5
21e1d1c2cb3ce41b78cf86bbc6e498d7
SHA13967b546421a25412ffc67c61b2af39d532e9c63
SHA2562ca036101374829a99c2afc324f72715a7cd781a265c248a575a2f97a5a7caec
SHA512f61a1dd318ddbec9dbdf163d21c626b33c990045337e85b337e30363fcfa961694829caca17cf37807f544bedc81f41f8802eb7766c69dff712ec446a0120e31
-
memory/924-121-0x0000000000940000-0x0000000000F6C000-memory.dmpFilesize
6.2MB
-
memory/924-122-0x00000000009775BE-mapping.dmp
-
memory/924-125-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/924-126-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/924-127-0x0000000005560000-0x0000000005A5E000-memory.dmpFilesize
5.0MB
-
memory/924-128-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/924-129-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/924-130-0x0000000006990000-0x0000000006991000-memory.dmpFilesize
4KB
-
memory/924-131-0x0000000001220000-0x0000000001221000-memory.dmpFilesize
4KB
-
memory/3848-115-0x0000000000000000-mapping.dmp