Analysis
-
max time kernel
76s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-05-2022 14:04
General
-
Target
tmp.exe
-
Size
455KB
-
MD5
f383aca77ec8694ab609f6c6ee464bde
-
SHA1
836abb931164edf8ea1ec1437b94eed0fc568049
-
SHA256
6c13935ce459215baf7b863cf206747125cacca60793e81ca06ee66139eeba79
-
SHA512
7acba871babb6cba09d1e444387d4d282f65b951b16127145521cd70915995425de6efc72a5f6400c81371734e5a47eaa33ed76ce06586f45fc8df1108af4040
Malware Config
Extracted
Protocol: smtp- Host:
odin.mk-host.com - Port:
587 - Username:
[email protected] - Password:
Hotel2020#
Extracted
asyncrat
5.0.5
Venom Clients
194.5.97.88:5050
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
agenttesla
Protocol: smtp- Host:
odin.mk-host.com - Port:
587 - Username:
[email protected] - Password:
Hotel2020# - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\QWAS.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\QWAS.exe"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QWAS.exe"C:\Users\Admin\AppData\Local\Temp\QWAS.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
Filesize
682KB
MD50c333ed8bb368bd1f442e429d25468bf
SHA117caab2afdb4338cea5161abe9b4f1137585afcd
SHA256ad0b97333d1e6ea935fdc6a610f9eeea8fe2f1fcbadcf2c721aa7d1e4149618d
SHA512a5f2e72c3852cca0b19e89e03cf97db21d030ede8743ad102bf4c3f9bde21a8156f24847766a54163064becdceaef2f482c53f940a58c2a5dc2205ab40a3104b
-
Filesize
682KB
MD50c333ed8bb368bd1f442e429d25468bf
SHA117caab2afdb4338cea5161abe9b4f1137585afcd
SHA256ad0b97333d1e6ea935fdc6a610f9eeea8fe2f1fcbadcf2c721aa7d1e4149618d
SHA512a5f2e72c3852cca0b19e89e03cf97db21d030ede8743ad102bf4c3f9bde21a8156f24847766a54163064becdceaef2f482c53f940a58c2a5dc2205ab40a3104b
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
704KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
88KB
-
Filesize
232KB
-
Filesize
320KB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
624KB
-
Filesize
136KB
-
Filesize
584KB
-
Filesize
5.6MB