Analysis
-
max time kernel
128s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:29
Static task
static1
Behavioral task
behavioral1
Sample
e ssssssssss.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e ssssssssss.exe
Resource
win10v2004-20220414-en
General
-
Target
e ssssssssss.exe
-
Size
532KB
-
MD5
6a7bea227f0410cd0a29d5ec46dc2162
-
SHA1
c96ddd2b3e3926b030cb06636c963fa3f05e0f88
-
SHA256
fe4deeb84628c321aff86bc7fd0edfa70aebc3f2dd302c18cf8a5715cb8b09e8
-
SHA512
76c663adb6809e3d817d4e6b3e0900841351b5a48211554ff53d992e0572693e5526cab1a13c7b6f1696011b14059b67dabcf342244224e8f486d40308840c38
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mkkarakosemobilya.com - Port:
587 - Username:
[email protected] - Password:
MKkkmbly@2019
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/936-59-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e ssssssssss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\eOqyl = "C:\\TBHNEBSE\\eOqylq\\eOqylqyCC.vbs" e ssssssssss.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
e ssssssssss.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e ssssssssss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 e ssssssssss.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e ssssssssss.exedescription pid process target process PID 784 set thread context of 936 784 e ssssssssss.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
InstallUtil.exepid process 936 InstallUtil.exe 936 InstallUtil.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e ssssssssss.exepid process 784 e ssssssssss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 936 InstallUtil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e ssssssssss.exeInstallUtil.exedescription pid process target process PID 784 wrote to memory of 936 784 e ssssssssss.exe InstallUtil.exe PID 784 wrote to memory of 936 784 e ssssssssss.exe InstallUtil.exe PID 784 wrote to memory of 936 784 e ssssssssss.exe InstallUtil.exe PID 784 wrote to memory of 936 784 e ssssssssss.exe InstallUtil.exe PID 784 wrote to memory of 936 784 e ssssssssss.exe InstallUtil.exe PID 784 wrote to memory of 936 784 e ssssssssss.exe InstallUtil.exe PID 784 wrote to memory of 936 784 e ssssssssss.exe InstallUtil.exe PID 784 wrote to memory of 936 784 e ssssssssss.exe InstallUtil.exe PID 936 wrote to memory of 1232 936 InstallUtil.exe netsh.exe PID 936 wrote to memory of 1232 936 InstallUtil.exe netsh.exe PID 936 wrote to memory of 1232 936 InstallUtil.exe netsh.exe PID 936 wrote to memory of 1232 936 InstallUtil.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e ssssssssss.exe"C:\Users\Admin\AppData\Local\Temp\e ssssssssss.exe"1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/784-54-0x00000000003B0000-0x000000000043C000-memory.dmpFilesize
560KB
-
memory/784-55-0x0000000001F20000-0x0000000001F94000-memory.dmpFilesize
464KB
-
memory/784-56-0x0000000004840000-0x000000000489A000-memory.dmpFilesize
360KB
-
memory/784-58-0x0000000000690000-0x0000000000693000-memory.dmpFilesize
12KB
-
memory/936-57-0x000000000044CA5E-mapping.dmp
-
memory/936-59-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/936-60-0x0000000075701000-0x0000000075703000-memory.dmpFilesize
8KB
-
memory/1232-61-0x0000000000000000-mapping.dmp