Analysis
-
max time kernel
122s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:22
Static task
static1
Behavioral task
behavioral1
Sample
KsoUkx8kQkhNBfv.exe
Resource
win7-20220414-en
General
-
Target
KsoUkx8kQkhNBfv.exe
-
Size
645KB
-
MD5
97cd758a698d47b01edd4a3281503176
-
SHA1
da997a6c3491c6a0a58c69aff6a630328dae4602
-
SHA256
8bd67af43b81d9303bc114e81c598c9ae1cb4d55315c750ae3eea3691513c94f
-
SHA512
0d85f512d7669543c0f6ce4337995533755e72d36ab673a43383491e2bc1c937e62e8433c4c90f9077701243061eaca02e0d399a26b1c2c10bb3e0fbe248ffab
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
roham.dnswebhost.com - Port:
587 - Username:
[email protected] - Password:
anyiego@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/524-62-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/524-61-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/524-63-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/524-64-0x000000000046115E-mapping.dmp family_agenttesla behavioral1/memory/524-66-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/524-68-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
KsoUkx8kQkhNBfv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KsoUkx8kQkhNBfv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KsoUkx8kQkhNBfv.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
KsoUkx8kQkhNBfv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 KsoUkx8kQkhNBfv.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 KsoUkx8kQkhNBfv.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 KsoUkx8kQkhNBfv.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
KsoUkx8kQkhNBfv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 KsoUkx8kQkhNBfv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum KsoUkx8kQkhNBfv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KsoUkx8kQkhNBfv.exedescription pid process target process PID 1668 set thread context of 524 1668 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
KsoUkx8kQkhNBfv.exeKsoUkx8kQkhNBfv.exepid process 1668 KsoUkx8kQkhNBfv.exe 1668 KsoUkx8kQkhNBfv.exe 524 KsoUkx8kQkhNBfv.exe 524 KsoUkx8kQkhNBfv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
KsoUkx8kQkhNBfv.exeKsoUkx8kQkhNBfv.exedescription pid process Token: SeDebugPrivilege 1668 KsoUkx8kQkhNBfv.exe Token: SeDebugPrivilege 524 KsoUkx8kQkhNBfv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
KsoUkx8kQkhNBfv.exepid process 524 KsoUkx8kQkhNBfv.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
KsoUkx8kQkhNBfv.exedescription pid process target process PID 1668 wrote to memory of 2028 1668 KsoUkx8kQkhNBfv.exe schtasks.exe PID 1668 wrote to memory of 2028 1668 KsoUkx8kQkhNBfv.exe schtasks.exe PID 1668 wrote to memory of 2028 1668 KsoUkx8kQkhNBfv.exe schtasks.exe PID 1668 wrote to memory of 2028 1668 KsoUkx8kQkhNBfv.exe schtasks.exe PID 1668 wrote to memory of 524 1668 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe PID 1668 wrote to memory of 524 1668 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe PID 1668 wrote to memory of 524 1668 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe PID 1668 wrote to memory of 524 1668 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe PID 1668 wrote to memory of 524 1668 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe PID 1668 wrote to memory of 524 1668 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe PID 1668 wrote to memory of 524 1668 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe PID 1668 wrote to memory of 524 1668 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe PID 1668 wrote to memory of 524 1668 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe -
outlook_office_path 1 IoCs
Processes:
KsoUkx8kQkhNBfv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 KsoUkx8kQkhNBfv.exe -
outlook_win_path 1 IoCs
Processes:
KsoUkx8kQkhNBfv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 KsoUkx8kQkhNBfv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KsoUkx8kQkhNBfv.exe"C:\Users\Admin\AppData\Local\Temp\KsoUkx8kQkhNBfv.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BXXwfEloUhOLj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8029.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\KsoUkx8kQkhNBfv.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8029.tmpFilesize
1KB
MD56573540c60c46d969e8cee2281a82613
SHA14ba1054f55436a5de011a30399fb9e8962078286
SHA256a290bfcd3724868f731741c9c2f7ed8cba59bf2c735bd9cf695fd6821759994c
SHA512721059b5062edd6822b9500d388a2ec28cf0951bd2a23834f4ce150e11343693b708dbc294f8d63d6170c583b0e1c91d93e86c76e3a1f9c5e413953ef0cb2b4f
-
memory/524-62-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/524-58-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/524-59-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/524-61-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/524-63-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/524-64-0x000000000046115E-mapping.dmp
-
memory/524-66-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/524-68-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/524-70-0x0000000074BD0000-0x000000007517B000-memory.dmpFilesize
5.7MB
-
memory/1668-55-0x0000000074C40000-0x00000000751EB000-memory.dmpFilesize
5.7MB
-
memory/1668-54-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/2028-56-0x0000000000000000-mapping.dmp