Analysis
-
max time kernel
111s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
16-12-2021 08:46
Static task
static1
Behavioral task
behavioral1
Sample
033304a9a935c4d0d64769245abfe3ae.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
033304a9a935c4d0d64769245abfe3ae.exe
Resource
win10-en-20211208
General
-
Target
033304a9a935c4d0d64769245abfe3ae.exe
-
Size
350KB
-
MD5
033304a9a935c4d0d64769245abfe3ae
-
SHA1
ebe539aeb57b78a3ad8085fe61dcc5ce3bfb6fd9
-
SHA256
6500927c19e228cc116484a103ba594fdeadccf06159332ead8cc9b3d9da83db
-
SHA512
f9da9c01941b5694c46d9b8f1fb4d4710a025409b672eb62ca913979f0aa26fc1ac8eb922388c4c29c8f7405ad268a871221cd38b0494c18936612756af021c0
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 033304a9a935c4d0d64769245abfe3ae.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/648-119-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/648-120-0x000000000040188B-mapping.dmp family_agenttesla behavioral2/memory/648-122-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/648-123-0x0000000002170000-0x00000000021A7000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exe033304a9a935c4d0d64769245abfe3ae.exepid process 1356 033304a9a935c4d0d64769245abfe3ae.exe 648 033304a9a935c4d0d64769245abfe3ae.exe -
Loads dropped DLL 1 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exepid process 1356 033304a9a935c4d0d64769245abfe3ae.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 033304a9a935c4d0d64769245abfe3ae.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 033304a9a935c4d0d64769245abfe3ae.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 033304a9a935c4d0d64769245abfe3ae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\myApp = "C:\\Users\\Admin\\AppData\\Roaming\\myApp\\myApp.exe" 033304a9a935c4d0d64769245abfe3ae.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exedescription pid process target process PID 1356 set thread context of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe -
Drops file in Windows directory 1 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exedescription ioc process File opened for modification C:\Windows\svchost.com 033304a9a935c4d0d64769245abfe3ae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 033304a9a935c4d0d64769245abfe3ae.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exepid process 648 033304a9a935c4d0d64769245abfe3ae.exe 648 033304a9a935c4d0d64769245abfe3ae.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exedescription pid process Token: SeDebugPrivilege 648 033304a9a935c4d0d64769245abfe3ae.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exe033304a9a935c4d0d64769245abfe3ae.exedescription pid process target process PID 3700 wrote to memory of 1356 3700 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 3700 wrote to memory of 1356 3700 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 3700 wrote to memory of 1356 3700 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 1356 wrote to memory of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 1356 wrote to memory of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 1356 wrote to memory of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 1356 wrote to memory of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 1356 wrote to memory of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 1356 wrote to memory of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 1356 wrote to memory of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 1356 wrote to memory of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 1356 wrote to memory of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe PID 1356 wrote to memory of 648 1356 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe -
outlook_office_path 1 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 033304a9a935c4d0d64769245abfe3ae.exe -
outlook_win_path 1 IoCs
Processes:
033304a9a935c4d0d64769245abfe3ae.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 033304a9a935c4d0d64769245abfe3ae.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\033304a9a935c4d0d64769245abfe3ae.exe"C:\Users\Admin\AppData\Local\Temp\033304a9a935c4d0d64769245abfe3ae.exe"1⤵
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exeMD5
01d37a2dc0153678b509ed07c2891014
SHA178a1710974bbec3de74f27c0f0574b6bb2c43e65
SHA256284a7b827997880f862d34ae032872879702666ede431949cd345bc13544772c
SHA51264a893554834d531cf9ee649ea9978c4b814bf0a6ef2e04eb01a9248848299acb6d712340aa0abbaddc18fd16c72e2a4da257b202cef7a4fd82ba99fc9835f9e
-
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exeMD5
01d37a2dc0153678b509ed07c2891014
SHA178a1710974bbec3de74f27c0f0574b6bb2c43e65
SHA256284a7b827997880f862d34ae032872879702666ede431949cd345bc13544772c
SHA51264a893554834d531cf9ee649ea9978c4b814bf0a6ef2e04eb01a9248848299acb6d712340aa0abbaddc18fd16c72e2a4da257b202cef7a4fd82ba99fc9835f9e
-
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exeMD5
01d37a2dc0153678b509ed07c2891014
SHA178a1710974bbec3de74f27c0f0574b6bb2c43e65
SHA256284a7b827997880f862d34ae032872879702666ede431949cd345bc13544772c
SHA51264a893554834d531cf9ee649ea9978c4b814bf0a6ef2e04eb01a9248848299acb6d712340aa0abbaddc18fd16c72e2a4da257b202cef7a4fd82ba99fc9835f9e
-
\Users\Admin\AppData\Local\Temp\nspB642.tmp\cxzqpbmkny.dllMD5
e339d7fbe34086431a548b4ec483795f
SHA179b1d34dd81828e2884dcaeeff462cf3228878c9
SHA25621a03f3f38f200bdd4bc3906a25b5d344aecb15c3842528c195b381b50baecee
SHA51230bcc40d6decf58c66d8256f27f16cc497d118595dc7f891e509fbae66386767e67e71ae04fe2ad7dcd380f82dfc1e21c4fe337c08724ca7f9e0028dc4d5a201
-
memory/648-123-0x0000000002170000-0x00000000021A7000-memory.dmpFilesize
220KB
-
memory/648-130-0x0000000004814000-0x0000000004815000-memory.dmpFilesize
4KB
-
memory/648-119-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/648-122-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/648-134-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/648-125-0x0000000004840000-0x0000000004841000-memory.dmpFilesize
4KB
-
memory/648-126-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/648-127-0x0000000004812000-0x0000000004813000-memory.dmpFilesize
4KB
-
memory/648-128-0x0000000004813000-0x0000000004814000-memory.dmpFilesize
4KB
-
memory/648-129-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/648-120-0x000000000040188B-mapping.dmp
-
memory/648-131-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/648-132-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/648-133-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/1356-115-0x0000000000000000-mapping.dmp