Overview

overview

10

Static

static

10

8100OJ.exe

windows7_x64

10

8100OJ.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8100OJ.exe

  • Size

    1.7MB

  • MD5

    bfbdaa4f58a5fb04b5ebd07df65d794c

  • SHA1

    626c24e885bca21d7da4f74aabb55e1e6b737a76

  • SHA256

    04c7c046518196b6b88e6b3860d870e1ad21728353d8e73f23a9276a1a5e211f

  • SHA512

    5793ce56e85b502d20ab43e7d30b5188063cf743b160c385fe85290522a925ad745e10691513ab7014204d93729c22e275bce76313a33c9d19fcdbad4b1f2847

Score
10/10
agentteslamassloggercollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.ashpraskills.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    TC041018$4321

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.ashpraskills.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    TC041018$4321

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 3 IoCs
  • AgentTesla Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8100OJ.exe
    "C:\Users\Admin\AppData\Local\Temp\8100OJ.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Users\Admin\Desktop\wiseman.exe
      "C:\Users\Admin\Desktop\wiseman.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:776
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Administrator /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Administrator /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"
        3⤵
        • Adds Run key to start application
        PID:1988
    • C:\Users\Admin\Desktop\.exe
      "C:\Users\Admin\Desktop\.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5064
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1268
        3⤵
        • Program crash
        PID:2080
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5064 -ip 5064
    1⤵
      PID:888

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\.exe
      Filesize

      1.7MB

      MD5

      bfbdaa4f58a5fb04b5ebd07df65d794c

      SHA1

      626c24e885bca21d7da4f74aabb55e1e6b737a76

      SHA256

      04c7c046518196b6b88e6b3860d870e1ad21728353d8e73f23a9276a1a5e211f

      SHA512

      5793ce56e85b502d20ab43e7d30b5188063cf743b160c385fe85290522a925ad745e10691513ab7014204d93729c22e275bce76313a33c9d19fcdbad4b1f2847

      Download Submit
    • C:\Users\Admin\Desktop\.exe
      Filesize

      1.7MB

      MD5

      bfbdaa4f58a5fb04b5ebd07df65d794c

      SHA1

      626c24e885bca21d7da4f74aabb55e1e6b737a76

      SHA256

      04c7c046518196b6b88e6b3860d870e1ad21728353d8e73f23a9276a1a5e211f

      SHA512

      5793ce56e85b502d20ab43e7d30b5188063cf743b160c385fe85290522a925ad745e10691513ab7014204d93729c22e275bce76313a33c9d19fcdbad4b1f2847

      Download Submit
    • C:\Users\Admin\Desktop\wiseman.exe
      Filesize

      278KB

      MD5

      0922444ce8a37462f57e07a420acf1a7

      SHA1

      a6442229acbd46d3a4cf5f45630ca98a74f18d0f

      SHA256

      bab0b51695e2e35875154c4aba680fd1800dbbba36ef1f48cd437616eac8cdc5

      SHA512

      24cfd983469e0f6926969a9ee9201df6eed891c895ec7db328944feda2ebcbac20c11bffdd15e831aae64dd4d1bf45f442f2be4306d837f045ced245597a6a2c

      Download Submit
    • C:\Users\Admin\Desktop\wiseman.exe
      Filesize

      278KB

      MD5

      0922444ce8a37462f57e07a420acf1a7

      SHA1

      a6442229acbd46d3a4cf5f45630ca98a74f18d0f

      SHA256

      bab0b51695e2e35875154c4aba680fd1800dbbba36ef1f48cd437616eac8cdc5

      SHA512

      24cfd983469e0f6926969a9ee9201df6eed891c895ec7db328944feda2ebcbac20c11bffdd15e831aae64dd4d1bf45f442f2be4306d837f045ced245597a6a2c

      Download Submit
    • memory/752-133-0x0000000005CC0000-0x0000000005D04000-memory.dmp
      Filesize

      272KB

      Download
    • memory/752-130-0x00000000005F0000-0x00000000007A2000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/752-132-0x00000000059D0000-0x0000000005A62000-memory.dmp
      Filesize

      584KB

      Download
    • memory/752-131-0x0000000005EE0000-0x0000000006484000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/776-134-0x0000000000000000-mapping.dmp
      Download
    • memory/776-139-0x000000006E190000-0x000000006E741000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1988-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4528-137-0x0000000000000000-mapping.dmp
      Download
    • memory/5064-140-0x0000000000000000-mapping.dmp
      Download