Analysis
-
max time kernel
138s -
max time network
126s -
platform
windows11_x64 -
resource
win11 -
submitted
19-10-2021 20:28
Static task
static1
Behavioral task
behavioral1
Sample
pol.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
General
-
Target
pol.exe
-
Size
627KB
-
MD5
1363b11e2105d3486b2b5e8479c57a12
-
SHA1
b9d24a83153aa0af8b1d00214096ddc75d0464e1
-
SHA256
1a2283bb101bc94c20d48d0ad06f11ce6cb7d0ad76e117a4176b71900dd4c6b3
-
SHA512
ac431b6933b6b46e73e958efed679986df80b8b867536908375b36bef259e4521b6488dea91c30ceb1cfd92b0c26a1f5d044ea4d824eff2eaa3280191575765b
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
sg2plcpnl0023.prod.sin2.secureserver.net - Port:
587 - Username:
[email protected] - Password:
User@40378
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3048-161-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\NXLun = "C:\\Users\\Admin\\AppData\\Roaming\\NXLun\\NXLun.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pol.exedescription pid process target process PID 3584 set thread context of 3048 3584 pol.exe RegSvcs.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
sihclient.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
pol.exeRegSvcs.exepid process 3584 pol.exe 3584 pol.exe 3048 RegSvcs.exe 3048 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exepol.exeRegSvcs.exedescription pid process Token: SeSystemtimePrivilege 4924 svchost.exe Token: SeSystemtimePrivilege 4924 svchost.exe Token: SeIncBasePriorityPrivilege 4924 svchost.exe Token: SeDebugPrivilege 3584 pol.exe Token: SeDebugPrivilege 3048 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
pol.exedescription pid process target process PID 3584 wrote to memory of 3048 3584 pol.exe RegSvcs.exe PID 3584 wrote to memory of 3048 3584 pol.exe RegSvcs.exe PID 3584 wrote to memory of 3048 3584 pol.exe RegSvcs.exe PID 3584 wrote to memory of 3048 3584 pol.exe RegSvcs.exe PID 3584 wrote to memory of 3048 3584 pol.exe RegSvcs.exe PID 3584 wrote to memory of 3048 3584 pol.exe RegSvcs.exe PID 3584 wrote to memory of 3048 3584 pol.exe RegSvcs.exe PID 3584 wrote to memory of 3048 3584 pol.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pol.exe"C:\Users\Admin\AppData\Local\Temp\pol.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3048
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv I3fkV4owRUy1ZxZX4HESJw.01⤵PID:4956
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv pVzHgpXms02TJxnTGiup5w.0.21⤵
- Modifies data under HKEY_USERS
PID:4620
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:3816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3048-160-0x0000000000000000-mapping.dmp
-
memory/3048-180-0x0000000005000000-0x00000000055A6000-memory.dmpFilesize
5.6MB
-
memory/3048-178-0x00000000067A0000-0x00000000067A1000-memory.dmpFilesize
4KB
-
memory/3048-171-0x00000000062F0000-0x00000000062F1000-memory.dmpFilesize
4KB
-
memory/3048-170-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/3048-169-0x0000000005000000-0x00000000055A6000-memory.dmpFilesize
5.6MB
-
memory/3048-161-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3584-159-0x0000000007860000-0x00000000078DD000-memory.dmpFilesize
500KB
-
memory/3584-149-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/3584-156-0x0000000004A70000-0x0000000005016000-memory.dmpFilesize
5.6MB
-
memory/3584-157-0x0000000007390000-0x0000000007395000-memory.dmpFilesize
20KB
-
memory/3584-158-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/3584-155-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/3584-154-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/3584-153-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/3584-152-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/3584-151-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/3816-146-0x0000018C32160000-0x0000018C32170000-memory.dmpFilesize
64KB
-
memory/3816-172-0x0000018C34AA0000-0x0000018C34AA4000-memory.dmpFilesize
16KB
-
memory/3816-173-0x0000018C34A60000-0x0000018C34A61000-memory.dmpFilesize
4KB
-
memory/3816-174-0x0000018C325E0000-0x0000018C325E4000-memory.dmpFilesize
16KB
-
memory/3816-175-0x0000018C325D0000-0x0000018C325D1000-memory.dmpFilesize
4KB
-
memory/3816-176-0x0000018C325D0000-0x0000018C325D4000-memory.dmpFilesize
16KB
-
memory/3816-177-0x0000018C324B0000-0x0000018C324B1000-memory.dmpFilesize
4KB
-
memory/3816-148-0x0000018C325B0000-0x0000018C325B4000-memory.dmpFilesize
16KB
-
memory/3816-147-0x0000018C321E0000-0x0000018C321F0000-memory.dmpFilesize
64KB