Analysis
-
max time kernel
124s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:36
Static task
static1
Behavioral task
behavioral1
Sample
VQiCue7HEz6VM3g.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
VQiCue7HEz6VM3g.exe
Resource
win10v2004-20220414-en
General
-
Target
VQiCue7HEz6VM3g.exe
-
Size
593KB
-
MD5
a99ce8dca56f302d6df6c8abcfc707bc
-
SHA1
57f84fc433737662a1edaf8675f3f28038347126
-
SHA256
096e367392216bef16b7bb081ec13edbf71a774b5f8de11fe22a15fed254f8c9
-
SHA512
e5796de19bd9c58c3c49794b1240f16af777308a47333ce8ec41e44ce28f7517c660a70e98f63c21ad7d5c2fb6a10eafb71c1172bea493cbcfe780fa432a8867
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
kissme4eva
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
kissme4eva
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/536-139-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
VQiCue7HEz6VM3g.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VQiCue7HEz6VM3g.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VQiCue7HEz6VM3g.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VQiCue7HEz6VM3g.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation VQiCue7HEz6VM3g.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
VQiCue7HEz6VM3g.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VQiCue7HEz6VM3g.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VQiCue7HEz6VM3g.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VQiCue7HEz6VM3g.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
VQiCue7HEz6VM3g.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum VQiCue7HEz6VM3g.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 VQiCue7HEz6VM3g.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
VQiCue7HEz6VM3g.exedescription pid process target process PID 1876 set thread context of 536 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
VQiCue7HEz6VM3g.exeVQiCue7HEz6VM3g.exepid process 1876 VQiCue7HEz6VM3g.exe 1876 VQiCue7HEz6VM3g.exe 1876 VQiCue7HEz6VM3g.exe 1876 VQiCue7HEz6VM3g.exe 1876 VQiCue7HEz6VM3g.exe 536 VQiCue7HEz6VM3g.exe 536 VQiCue7HEz6VM3g.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
VQiCue7HEz6VM3g.exeVQiCue7HEz6VM3g.exedescription pid process Token: SeDebugPrivilege 1876 VQiCue7HEz6VM3g.exe Token: SeDebugPrivilege 536 VQiCue7HEz6VM3g.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
VQiCue7HEz6VM3g.exedescription pid process target process PID 1876 wrote to memory of 2052 1876 VQiCue7HEz6VM3g.exe schtasks.exe PID 1876 wrote to memory of 2052 1876 VQiCue7HEz6VM3g.exe schtasks.exe PID 1876 wrote to memory of 2052 1876 VQiCue7HEz6VM3g.exe schtasks.exe PID 1876 wrote to memory of 4596 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe PID 1876 wrote to memory of 4596 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe PID 1876 wrote to memory of 4596 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe PID 1876 wrote to memory of 536 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe PID 1876 wrote to memory of 536 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe PID 1876 wrote to memory of 536 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe PID 1876 wrote to memory of 536 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe PID 1876 wrote to memory of 536 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe PID 1876 wrote to memory of 536 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe PID 1876 wrote to memory of 536 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe PID 1876 wrote to memory of 536 1876 VQiCue7HEz6VM3g.exe VQiCue7HEz6VM3g.exe -
outlook_office_path 1 IoCs
Processes:
VQiCue7HEz6VM3g.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VQiCue7HEz6VM3g.exe -
outlook_win_path 1 IoCs
Processes:
VQiCue7HEz6VM3g.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 VQiCue7HEz6VM3g.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VQiCue7HEz6VM3g.exe"C:\Users\Admin\AppData\Local\Temp\VQiCue7HEz6VM3g.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qRkTaxBqiU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3C4D.tmp"2⤵
- Creates scheduled task(s)
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\VQiCue7HEz6VM3g.exe"{path}"2⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\VQiCue7HEz6VM3g.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VQiCue7HEz6VM3g.exe.logFilesize
599B
MD5a56b1681d95f33a909d6f34c33f706fb
SHA1e996e63f53e9041910f84a4246085c7e76d8ea37
SHA2567d87bc567d369a8c708b33966c428845d44ce433d2a6445ca4ccf6449482b3a7
SHA512f0d7998ccb520c7229f95ed26a714b07e6a87c16d097546751f7a0f61678b0abb3fbfcc0caa8eba66fa19c09ad659f89475f0f071f3b249bd1bee07a7cd665a2
-
C:\Users\Admin\AppData\Local\Temp\tmp3C4D.tmpFilesize
1KB
MD5efab6688f66e5da2ae059dfa2c37ea58
SHA10134a4bc1529e0bc39264a8d7957678a9676c53b
SHA2569b8a68cf9027ee42fba09d6b133f5cd8bf75a4f0edc3492e55fb9690e731363d
SHA512b055772b6979a888fd19d7d7b3a1b150bfd6e2b7708fd572c54483f4ff7615d8940ed8ae93d1655f1e9227a10686f76ae68b45b0b0e5847cba06f4183d52f519
-
memory/536-139-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/536-138-0x0000000000000000-mapping.dmp
-
memory/536-141-0x0000000006450000-0x00000000064A0000-memory.dmpFilesize
320KB
-
memory/536-142-0x0000000006960000-0x000000000696A000-memory.dmpFilesize
40KB
-
memory/1876-133-0x00000000057E0000-0x000000000587C000-memory.dmpFilesize
624KB
-
memory/1876-134-0x0000000005C30000-0x0000000005C96000-memory.dmpFilesize
408KB
-
memory/1876-132-0x0000000004BA0000-0x0000000004C32000-memory.dmpFilesize
584KB
-
memory/1876-130-0x0000000000130000-0x00000000001CA000-memory.dmpFilesize
616KB
-
memory/1876-131-0x0000000005230000-0x00000000057D4000-memory.dmpFilesize
5.6MB
-
memory/2052-135-0x0000000000000000-mapping.dmp
-
memory/4596-137-0x0000000000000000-mapping.dmp