Analysis
-
max time kernel
128s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:19
Static task
static1
Behavioral task
behavioral1
Sample
HUJUoHNDvfZTiEM.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
HUJUoHNDvfZTiEM.exe
Resource
win10v2004-20220414-en
General
-
Target
HUJUoHNDvfZTiEM.exe
-
Size
490KB
-
MD5
f93a5756dce9c41e690029529f0dd25c
-
SHA1
ccb444a4628fd2035aa38ff8a50727f4c0a67ffb
-
SHA256
7e393bcd518415ad70e7a6924c8798391400554fce9c2a639a891dcda4f8e230
-
SHA512
7ad1ca297782ce423311d11cb1f2932a7edb64a0364be54558e881073d3095a0b6993dcaabb01e34e18a89a2a134e3887dfac6beeb880f6463520d65b635e42c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.lettu.us - Port:
587 - Username:
[email protected] - Password:
western2020@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1788-137-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
HUJUoHNDvfZTiEM.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HUJUoHNDvfZTiEM.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HUJUoHNDvfZTiEM.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HUJUoHNDvfZTiEM.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C72B780F-D889-42D9-9C8A-AA9AA9D40EE2}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8D084154-FA7E-4E00-B60E-59334DC52AA6}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
HUJUoHNDvfZTiEM.exedescription pid process target process PID 4120 set thread context of 1788 4120 HUJUoHNDvfZTiEM.exe HUJUoHNDvfZTiEM.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HUJUoHNDvfZTiEM.exepid process 1788 HUJUoHNDvfZTiEM.exe 1788 HUJUoHNDvfZTiEM.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HUJUoHNDvfZTiEM.exedescription pid process Token: SeDebugPrivilege 1788 HUJUoHNDvfZTiEM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HUJUoHNDvfZTiEM.exepid process 1788 HUJUoHNDvfZTiEM.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
HUJUoHNDvfZTiEM.exedescription pid process target process PID 4120 wrote to memory of 1788 4120 HUJUoHNDvfZTiEM.exe HUJUoHNDvfZTiEM.exe PID 4120 wrote to memory of 1788 4120 HUJUoHNDvfZTiEM.exe HUJUoHNDvfZTiEM.exe PID 4120 wrote to memory of 1788 4120 HUJUoHNDvfZTiEM.exe HUJUoHNDvfZTiEM.exe PID 4120 wrote to memory of 1788 4120 HUJUoHNDvfZTiEM.exe HUJUoHNDvfZTiEM.exe PID 4120 wrote to memory of 1788 4120 HUJUoHNDvfZTiEM.exe HUJUoHNDvfZTiEM.exe PID 4120 wrote to memory of 1788 4120 HUJUoHNDvfZTiEM.exe HUJUoHNDvfZTiEM.exe PID 4120 wrote to memory of 1788 4120 HUJUoHNDvfZTiEM.exe HUJUoHNDvfZTiEM.exe PID 4120 wrote to memory of 1788 4120 HUJUoHNDvfZTiEM.exe HUJUoHNDvfZTiEM.exe -
outlook_office_path 1 IoCs
Processes:
HUJUoHNDvfZTiEM.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HUJUoHNDvfZTiEM.exe -
outlook_win_path 1 IoCs
Processes:
HUJUoHNDvfZTiEM.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HUJUoHNDvfZTiEM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HUJUoHNDvfZTiEM.exe"C:\Users\Admin\AppData\Local\Temp\HUJUoHNDvfZTiEM.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HUJUoHNDvfZTiEM.exe"C:\Users\Admin\AppData\Local\Temp\HUJUoHNDvfZTiEM.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1788-136-0x0000000000000000-mapping.dmp
-
memory/1788-137-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1788-138-0x0000000006620000-0x0000000006686000-memory.dmpFilesize
408KB
-
memory/1788-139-0x0000000006B40000-0x0000000006B90000-memory.dmpFilesize
320KB
-
memory/4120-130-0x00000000005B0000-0x0000000000630000-memory.dmpFilesize
512KB
-
memory/4120-131-0x0000000004F50000-0x0000000004FEC000-memory.dmpFilesize
624KB
-
memory/4120-132-0x00000000055D0000-0x0000000005B74000-memory.dmpFilesize
5.6MB
-
memory/4120-133-0x00000000050C0000-0x0000000005152000-memory.dmpFilesize
584KB
-
memory/4120-134-0x0000000005070000-0x000000000507A000-memory.dmpFilesize
40KB
-
memory/4120-135-0x00000000052D0000-0x0000000005326000-memory.dmpFilesize
344KB