Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
01-12-2021 19:11
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
Resource
win10-en-20211014
General
-
Target
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
-
Size
487KB
-
MD5
604c93c0c41e8eb994e7315b3885ec38
-
SHA1
9af5baeab9f2461335ad3e2439bc3e5cb850932e
-
SHA256
af29096b6cbbd74cca47337f62cc2a5553eb3cf225de3dcc993a14e452c3e9bd
-
SHA512
59307cc35eb0606d33bd0cde817e82c1e941d9d2e903888634a77357570b67b6b4b138dc19b502b9dcf8209b46bfae757a0a6200bd56280990c76f17936948b9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.huiijingco.com - Port:
587 - Username:
[email protected] - Password:
zVYrdtq4
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1496-132-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/1496-133-0x0000000000436C3E-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription pid process target process PID 3384 set thread context of 1496 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exepowershell.exeSecuriteInfo.com.MSIL.Packed.19.19491.9488.exepid process 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe 1928 powershell.exe 1496 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe 1496 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe 1928 powershell.exe 1928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exepowershell.exeSecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription pid process Token: SeDebugPrivilege 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 1496 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription pid process target process PID 3384 wrote to memory of 1928 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe powershell.exe PID 3384 wrote to memory of 1928 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe powershell.exe PID 3384 wrote to memory of 1928 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe powershell.exe PID 3384 wrote to memory of 3148 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 3148 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 3148 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 296 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 296 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 296 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 1496 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 1496 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 1496 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 1496 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 1496 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 1496 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 1496 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe PID 3384 wrote to memory of 1496 3384 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe -
outlook_office_path 1 IoCs
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe -
outlook_win_path 1 IoCs
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe.logMD5
12557ab909651a6f99d3503d614d3562
SHA1b86745768059a514bea3a438e1e96086af463246
SHA2569589c869703e95d40d5870c60f66d8460f7914e9fe8dd579533c84148112babd
SHA51210cdb2fa7cf054af937b4aeddfe16fe755d6b09db5a51f7052adbf472b4b435e16c141f3712762f3b67f990c3efcfa47659576988e321214c747d6cd98e75521
-
memory/1496-132-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1496-143-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/1496-133-0x0000000000436C3E-mapping.dmp
-
memory/1928-124-0x0000000000000000-mapping.dmp
-
memory/1928-139-0x0000000007A20000-0x0000000007A21000-memory.dmpFilesize
4KB
-
memory/1928-237-0x0000000006C53000-0x0000000006C54000-memory.dmpFilesize
4KB
-
memory/1928-168-0x0000000009570000-0x0000000009571000-memory.dmpFilesize
4KB
-
memory/1928-167-0x000000007ED40000-0x000000007ED41000-memory.dmpFilesize
4KB
-
memory/1928-166-0x00000000093A0000-0x00000000093A1000-memory.dmpFilesize
4KB
-
memory/1928-127-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/1928-126-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/1928-128-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/1928-129-0x0000000007290000-0x0000000007291000-memory.dmpFilesize
4KB
-
memory/1928-130-0x0000000006C50000-0x0000000006C51000-memory.dmpFilesize
4KB
-
memory/1928-131-0x0000000006C52000-0x0000000006C53000-memory.dmpFilesize
4KB
-
memory/1928-161-0x0000000009230000-0x0000000009231000-memory.dmpFilesize
4KB
-
memory/1928-154-0x0000000009270000-0x00000000092A3000-memory.dmpFilesize
204KB
-
memory/1928-147-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/1928-146-0x0000000008200000-0x0000000008201000-memory.dmpFilesize
4KB
-
memory/1928-140-0x0000000007A50000-0x0000000007A51000-memory.dmpFilesize
4KB
-
memory/1928-142-0x0000000007BA0000-0x0000000007BA1000-memory.dmpFilesize
4KB
-
memory/1928-145-0x0000000008310000-0x0000000008311000-memory.dmpFilesize
4KB
-
memory/1928-144-0x0000000007B30000-0x0000000007B31000-memory.dmpFilesize
4KB
-
memory/3384-117-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/3384-121-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/3384-118-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/3384-119-0x00000000029A0000-0x00000000029A1000-memory.dmpFilesize
4KB
-
memory/3384-120-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/3384-125-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/3384-115-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/3384-123-0x0000000005EA0000-0x0000000005F09000-memory.dmpFilesize
420KB
-
memory/3384-122-0x00000000059C0000-0x00000000059C6000-memory.dmpFilesize
24KB