Analysis
-
max time kernel
150s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:35
Static task
static1
Behavioral task
behavioral1
Sample
MV OCEAN GLORY V.2008.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
MV OCEAN GLORY V.2008.exe
Resource
win10v2004-20220414-en
General
-
Target
MV OCEAN GLORY V.2008.exe
-
Size
634KB
-
MD5
0b13ff5f953b3df10dd126b2ad92a2cf
-
SHA1
79cd672a6d7cd026e652c791bc0d089b30840e15
-
SHA256
f1102765bde9d2485559822259bb55539749ae15cbe3378bfc4146586900fba8
-
SHA512
1603b6fd8b85d0574a57846aac964dd91d7f22a0983f9d5aa30df648065539c415a195a6bf74b8e3ca3125e5376b75aaa3b9561e56f027aec7ee571872701eb1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
secure197.inmotionhosting.com - Port:
587 - Username:
[email protected] - Password:
GL@123456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4832-132-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MV OCEAN GLORY V.2008.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MV OCEAN GLORY V.2008.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MV OCEAN GLORY V.2008.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MV OCEAN GLORY V.2008.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MV OCEAN GLORY V.2008.exedescription pid process target process PID 4804 set thread context of 4832 4804 MV OCEAN GLORY V.2008.exe MV OCEAN GLORY V.2008.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MV OCEAN GLORY V.2008.exepid process 4832 MV OCEAN GLORY V.2008.exe 4832 MV OCEAN GLORY V.2008.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MV OCEAN GLORY V.2008.exedescription pid process Token: SeDebugPrivilege 4832 MV OCEAN GLORY V.2008.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
MV OCEAN GLORY V.2008.exeMV OCEAN GLORY V.2008.exedescription pid process target process PID 4804 wrote to memory of 4832 4804 MV OCEAN GLORY V.2008.exe MV OCEAN GLORY V.2008.exe PID 4804 wrote to memory of 4832 4804 MV OCEAN GLORY V.2008.exe MV OCEAN GLORY V.2008.exe PID 4804 wrote to memory of 4832 4804 MV OCEAN GLORY V.2008.exe MV OCEAN GLORY V.2008.exe PID 4804 wrote to memory of 4832 4804 MV OCEAN GLORY V.2008.exe MV OCEAN GLORY V.2008.exe PID 4804 wrote to memory of 4832 4804 MV OCEAN GLORY V.2008.exe MV OCEAN GLORY V.2008.exe PID 4804 wrote to memory of 4832 4804 MV OCEAN GLORY V.2008.exe MV OCEAN GLORY V.2008.exe PID 4804 wrote to memory of 4832 4804 MV OCEAN GLORY V.2008.exe MV OCEAN GLORY V.2008.exe PID 4804 wrote to memory of 4832 4804 MV OCEAN GLORY V.2008.exe MV OCEAN GLORY V.2008.exe PID 4832 wrote to memory of 2536 4832 MV OCEAN GLORY V.2008.exe netsh.exe PID 4832 wrote to memory of 2536 4832 MV OCEAN GLORY V.2008.exe netsh.exe PID 4832 wrote to memory of 2536 4832 MV OCEAN GLORY V.2008.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
MV OCEAN GLORY V.2008.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MV OCEAN GLORY V.2008.exe -
outlook_win_path 1 IoCs
Processes:
MV OCEAN GLORY V.2008.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MV OCEAN GLORY V.2008.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MV OCEAN GLORY V.2008.exe"C:\Users\Admin\AppData\Local\Temp\MV OCEAN GLORY V.2008.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\MV OCEAN GLORY V.2008.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4832 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:2536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2536-134-0x0000000000000000-mapping.dmp
-
memory/4804-130-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/4832-131-0x0000000000000000-mapping.dmp
-
memory/4832-132-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4832-133-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB