Analysis
-
max time kernel
72s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:53
Static task
static1
Behavioral task
behavioral1
Sample
OJZVQGRB.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
OJZVQGRB.exe
Resource
win10v2004-20220414-en
General
-
Target
OJZVQGRB.exe
-
Size
457KB
-
MD5
9176cc3a2b72f6ddc6ca7ca9f0408c8b
-
SHA1
5db086b22bb97d2e373f31b791ff0930bd82cb69
-
SHA256
a6584d03c245b4cebded9264308da12b97193ad6ae195636d9f447b6c4ce7698
-
SHA512
d4dae7fe898e4f7883153ee25cd1c3dc1bb57fbe04f1536d9c49169ccef119ad6865498c8c0737ccc2fee67690c53f452622d1bf95d8fdef3e5f5b22f3c82815
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.samudrapanel.com - Port:
587 - Username:
[email protected] - Password:
weslali234
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/520-63-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/520-64-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/520-65-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/520-66-0x000000000044A9DE-mapping.dmp family_agenttesla behavioral1/memory/520-68-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/520-70-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1156-57-0x0000000005030000-0x0000000005086000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
OJZVQGRB.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OJZVQGRB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OJZVQGRB.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
OJZVQGRB.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OJZVQGRB.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OJZVQGRB.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OJZVQGRB.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
OJZVQGRB.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OJZVQGRB.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 OJZVQGRB.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
OJZVQGRB.exedescription pid process target process PID 1156 set thread context of 520 1156 OJZVQGRB.exe OJZVQGRB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
OJZVQGRB.exeOJZVQGRB.exepid process 1156 OJZVQGRB.exe 1156 OJZVQGRB.exe 1156 OJZVQGRB.exe 520 OJZVQGRB.exe 520 OJZVQGRB.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
OJZVQGRB.exeOJZVQGRB.exedescription pid process Token: SeDebugPrivilege 1156 OJZVQGRB.exe Token: SeDebugPrivilege 520 OJZVQGRB.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OJZVQGRB.exepid process 520 OJZVQGRB.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
OJZVQGRB.exeOJZVQGRB.exedescription pid process target process PID 1156 wrote to memory of 1460 1156 OJZVQGRB.exe schtasks.exe PID 1156 wrote to memory of 1460 1156 OJZVQGRB.exe schtasks.exe PID 1156 wrote to memory of 1460 1156 OJZVQGRB.exe schtasks.exe PID 1156 wrote to memory of 1460 1156 OJZVQGRB.exe schtasks.exe PID 1156 wrote to memory of 1004 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 1004 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 1004 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 1004 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 520 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 520 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 520 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 520 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 520 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 520 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 520 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 520 1156 OJZVQGRB.exe OJZVQGRB.exe PID 1156 wrote to memory of 520 1156 OJZVQGRB.exe OJZVQGRB.exe PID 520 wrote to memory of 1216 520 OJZVQGRB.exe netsh.exe PID 520 wrote to memory of 1216 520 OJZVQGRB.exe netsh.exe PID 520 wrote to memory of 1216 520 OJZVQGRB.exe netsh.exe PID 520 wrote to memory of 1216 520 OJZVQGRB.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
OJZVQGRB.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OJZVQGRB.exe -
outlook_win_path 1 IoCs
Processes:
OJZVQGRB.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OJZVQGRB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OJZVQGRB.exe"C:\Users\Admin\AppData\Local\Temp\OJZVQGRB.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXfilQolLOYnI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C4F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\OJZVQGRB.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\OJZVQGRB.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2C4F.tmpFilesize
1KB
MD523ef9c3328c3783efc8dd406c9e5de8c
SHA120e32dc22280a681de1469adc5e7c6e9a4f5839e
SHA25671c674c17a6b91ce2aa431c3e8847ea9f7dbcd04da8ed67a6493be99d1e9acf8
SHA5127b08f556fc87c49fe96c75589dd3f840afe52cc83a4dec479384268266a49f8d05855dfa83de5c6a67c75b90034e925191164146e254ec522846c0f0981babdc
-
memory/520-64-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/520-66-0x000000000044A9DE-mapping.dmp
-
memory/520-70-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/520-68-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/520-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/520-60-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/520-61-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/520-63-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1156-54-0x0000000000EE0000-0x0000000000F58000-memory.dmpFilesize
480KB
-
memory/1156-55-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/1156-56-0x00000000004C0000-0x00000000004C8000-memory.dmpFilesize
32KB
-
memory/1156-57-0x0000000005030000-0x0000000005086000-memory.dmpFilesize
344KB
-
memory/1216-72-0x0000000000000000-mapping.dmp
-
memory/1460-58-0x0000000000000000-mapping.dmp