Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:51
Static task
static1
Behavioral task
behavioral1
Sample
PO#3459.jpg.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO#3459.jpg.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
PO#68732.png.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
PO#68732.png.exe
Resource
win10v2004-20220414-en
General
-
Target
PO#68732.png.exe
-
Size
2.8MB
-
MD5
8f12c0c6c1854dae382473bfe77019f7
-
SHA1
44d776b496ba926e48d5b5def8eeaaab6d64feb8
-
SHA256
7998ac3e684a8b86abc784ecfbce4a23a54166ef3a08d497a0288dc667c6f510
-
SHA512
53b97b8f079f558dc26422ee9369c01aedc83ed79d5926594a520c9f719ddbba2add6b5e97c844aaf818beac33510d5e4e74ec4eb175e10d52e9404a846a671c
Malware Config
Extracted
Protocol: smtp- Host:
mail.kaysarplastik.com - Port:
587 - Username:
[email protected] - Password:
abdullah123
Extracted
agenttesla
Protocol: smtp- Host:
mail.kaysarplastik.com - Port:
587 - Username:
[email protected] - Password:
abdullah123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe family_masslogger C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe family_masslogger behavioral4/memory/648-151-0x0000000000360000-0x0000000000424000-memory.dmp family_masslogger -
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\origiiiy.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\origiiiy.exe family_agenttesla behavioral4/memory/4500-147-0x0000000000C60000-0x0000000000CAC000-memory.dmp family_agenttesla -
Executes dropped EXE 4 IoCs
Processes:
foxy.exeInstallUtil.exeorigiiiy.exeMassLoggerBin.exepid process 3996 foxy.exe 4700 InstallUtil.exe 4500 origiiiy.exe 648 MassLoggerBin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
InstallUtil.exePO#68732.png.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation InstallUtil.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation PO#68732.png.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
origiiiy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 origiiiy.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 origiiiy.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 origiiiy.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foxy = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\foxy.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
foxy.exedescription pid process target process PID 3996 set thread context of 4700 3996 foxy.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
PO#68732.png.exefoxy.exepowershell.exeorigiiiy.exepid process 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 2608 PO#68732.png.exe 3996 foxy.exe 3996 foxy.exe 3996 foxy.exe 840 powershell.exe 840 powershell.exe 4500 origiiiy.exe 4500 origiiiy.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PO#68732.png.exefoxy.exepowershell.exeorigiiiy.exedescription pid process Token: SeDebugPrivilege 2608 PO#68732.png.exe Token: SeDebugPrivilege 3996 foxy.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeDebugPrivilege 4500 origiiiy.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
PO#68732.png.execmd.exefoxy.exeInstallUtil.exeMassLoggerBin.execmd.exedescription pid process target process PID 2608 wrote to memory of 3520 2608 PO#68732.png.exe cmd.exe PID 2608 wrote to memory of 3520 2608 PO#68732.png.exe cmd.exe PID 2608 wrote to memory of 3520 2608 PO#68732.png.exe cmd.exe PID 3520 wrote to memory of 3480 3520 cmd.exe reg.exe PID 3520 wrote to memory of 3480 3520 cmd.exe reg.exe PID 3520 wrote to memory of 3480 3520 cmd.exe reg.exe PID 2608 wrote to memory of 3996 2608 PO#68732.png.exe foxy.exe PID 2608 wrote to memory of 3996 2608 PO#68732.png.exe foxy.exe PID 2608 wrote to memory of 3996 2608 PO#68732.png.exe foxy.exe PID 3996 wrote to memory of 4700 3996 foxy.exe InstallUtil.exe PID 3996 wrote to memory of 4700 3996 foxy.exe InstallUtil.exe PID 3996 wrote to memory of 4700 3996 foxy.exe InstallUtil.exe PID 3996 wrote to memory of 4700 3996 foxy.exe InstallUtil.exe PID 3996 wrote to memory of 4700 3996 foxy.exe InstallUtil.exe PID 3996 wrote to memory of 4700 3996 foxy.exe InstallUtil.exe PID 3996 wrote to memory of 4700 3996 foxy.exe InstallUtil.exe PID 3996 wrote to memory of 4700 3996 foxy.exe InstallUtil.exe PID 4700 wrote to memory of 4500 4700 InstallUtil.exe origiiiy.exe PID 4700 wrote to memory of 4500 4700 InstallUtil.exe origiiiy.exe PID 4700 wrote to memory of 4500 4700 InstallUtil.exe origiiiy.exe PID 4700 wrote to memory of 648 4700 InstallUtil.exe MassLoggerBin.exe PID 4700 wrote to memory of 648 4700 InstallUtil.exe MassLoggerBin.exe PID 4700 wrote to memory of 648 4700 InstallUtil.exe MassLoggerBin.exe PID 648 wrote to memory of 828 648 MassLoggerBin.exe cmd.exe PID 648 wrote to memory of 828 648 MassLoggerBin.exe cmd.exe PID 648 wrote to memory of 828 648 MassLoggerBin.exe cmd.exe PID 828 wrote to memory of 840 828 cmd.exe powershell.exe PID 828 wrote to memory of 840 828 cmd.exe powershell.exe PID 828 wrote to memory of 840 828 cmd.exe powershell.exe -
outlook_office_path 1 IoCs
Processes:
origiiiy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 origiiiy.exe -
outlook_win_path 1 IoCs
Processes:
origiiiy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 origiiiy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO#68732.png.exe"C:\Users\Admin\AppData\Local\Temp\PO#68732.png.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v foxy /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v foxy /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exe"3⤵
- Adds Run key to start application
PID:3480 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\origiiiy.exe"C:\Users\Admin\AppData\Local\Temp\origiiiy.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe"C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe' & exit5⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exeFilesize
760KB
MD5e360b31265999e9d600c2b98ba69ad83
SHA148060da28268736d572d26ba635c0d52539390d8
SHA256457c0cd53307232f629bcf3a18030d36cc053b6f096e647cf49334630710c1f9
SHA512b2bdd4e8f180c55428bdb698ed79244d69ca4b9b50c9be04f59103a78e763f834586339d59ef9af42dd2e3aacf2d38068cdc7e6a211d12c3c250774c45152b99
-
C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exeFilesize
760KB
MD5e360b31265999e9d600c2b98ba69ad83
SHA148060da28268736d572d26ba635c0d52539390d8
SHA256457c0cd53307232f629bcf3a18030d36cc053b6f096e647cf49334630710c1f9
SHA512b2bdd4e8f180c55428bdb698ed79244d69ca4b9b50c9be04f59103a78e763f834586339d59ef9af42dd2e3aacf2d38068cdc7e6a211d12c3c250774c45152b99
-
C:\Users\Admin\AppData\Local\Temp\origiiiy.exeFilesize
279KB
MD5f8e56f59f5035e7c8ab16ca9ca382db3
SHA1f4fbca78fe28cf0bd0d38b77f33a7960e94536fe
SHA256e38dd14d76dcca37f9bc11ba99f971087b4880c4ec286efbd577976e0ac38eed
SHA5128125db512042f7bdccc9a70e4e4d80afcaab5a3194e20063fbaaac41768f9ea2ddc03b4f7b3aa13fb7edb948a917e31de353cdf428393cb5ff4dac2274c0b9c0
-
C:\Users\Admin\AppData\Local\Temp\origiiiy.exeFilesize
279KB
MD5f8e56f59f5035e7c8ab16ca9ca382db3
SHA1f4fbca78fe28cf0bd0d38b77f33a7960e94536fe
SHA256e38dd14d76dcca37f9bc11ba99f971087b4880c4ec286efbd577976e0ac38eed
SHA5128125db512042f7bdccc9a70e4e4d80afcaab5a3194e20063fbaaac41768f9ea2ddc03b4f7b3aa13fb7edb948a917e31de353cdf428393cb5ff4dac2274c0b9c0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exeFilesize
2.8MB
MD58f12c0c6c1854dae382473bfe77019f7
SHA144d776b496ba926e48d5b5def8eeaaab6d64feb8
SHA2567998ac3e684a8b86abc784ecfbce4a23a54166ef3a08d497a0288dc667c6f510
SHA51253b97b8f079f558dc26422ee9369c01aedc83ed79d5926594a520c9f719ddbba2add6b5e97c844aaf818beac33510d5e4e74ec4eb175e10d52e9404a846a671c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exeFilesize
2.8MB
MD58f12c0c6c1854dae382473bfe77019f7
SHA144d776b496ba926e48d5b5def8eeaaab6d64feb8
SHA2567998ac3e684a8b86abc784ecfbce4a23a54166ef3a08d497a0288dc667c6f510
SHA51253b97b8f079f558dc26422ee9369c01aedc83ed79d5926594a520c9f719ddbba2add6b5e97c844aaf818beac33510d5e4e74ec4eb175e10d52e9404a846a671c
-
memory/648-152-0x0000000004E40000-0x0000000004EA6000-memory.dmpFilesize
408KB
-
memory/648-151-0x0000000000360000-0x0000000000424000-memory.dmpFilesize
784KB
-
memory/648-148-0x0000000000000000-mapping.dmp
-
memory/828-153-0x0000000000000000-mapping.dmp
-
memory/840-158-0x00000000055B0000-0x0000000005616000-memory.dmpFilesize
408KB
-
memory/840-159-0x0000000005D80000-0x0000000005D9E000-memory.dmpFilesize
120KB
-
memory/840-160-0x00000000073A0000-0x0000000007A1A000-memory.dmpFilesize
6.5MB
-
memory/840-157-0x0000000004EA0000-0x0000000004EC2000-memory.dmpFilesize
136KB
-
memory/840-156-0x0000000004F10000-0x0000000005538000-memory.dmpFilesize
6.2MB
-
memory/840-155-0x00000000047E0000-0x0000000004816000-memory.dmpFilesize
216KB
-
memory/840-161-0x0000000006270000-0x000000000628A000-memory.dmpFilesize
104KB
-
memory/840-154-0x0000000000000000-mapping.dmp
-
memory/840-162-0x0000000006DC0000-0x0000000006E56000-memory.dmpFilesize
600KB
-
memory/840-163-0x0000000006340000-0x0000000006362000-memory.dmpFilesize
136KB
-
memory/2608-131-0x0000000006560000-0x0000000006B04000-memory.dmpFilesize
5.6MB
-
memory/2608-130-0x0000000000C30000-0x0000000000EF8000-memory.dmpFilesize
2.8MB
-
memory/2608-132-0x0000000006090000-0x0000000006122000-memory.dmpFilesize
584KB
-
memory/2608-133-0x0000000008110000-0x0000000008154000-memory.dmpFilesize
272KB
-
memory/3480-135-0x0000000000000000-mapping.dmp
-
memory/3520-134-0x0000000000000000-mapping.dmp
-
memory/3996-136-0x0000000000000000-mapping.dmp
-
memory/4500-147-0x0000000000C60000-0x0000000000CAC000-memory.dmpFilesize
304KB
-
memory/4500-144-0x0000000000000000-mapping.dmp
-
memory/4500-164-0x0000000006BF0000-0x0000000006C40000-memory.dmpFilesize
320KB
-
memory/4700-143-0x0000000005630000-0x00000000056CC000-memory.dmpFilesize
624KB
-
memory/4700-140-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/4700-139-0x0000000000000000-mapping.dmp