Analysis
-
max time kernel
117s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
ce10gm3d.swj.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ce10gm3d.swj.exe
Resource
win10v2004-20220414-en
General
-
Target
ce10gm3d.swj.exe
-
Size
427KB
-
MD5
dce31d2eba49d580496fcb3124397a46
-
SHA1
93a9faa46033fd2513cdb5f621cd4b7038351867
-
SHA256
847c47a4c1a5db11dd89626915bb922f8213bb5ab61d449857fbf62660a63dda
-
SHA512
58340a4253882df7c02518ed41fc12c5aa713e71ec19f0e136b354712dcfe84424960e4edb6bd8e96f0966eda3f0be1a9306b584deb4a477afcbbfec0207e925
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.waman.in - Port:
587 - Username:
[email protected] - Password:
enquiry@2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1820-65-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1820-66-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1820-67-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1820-68-0x000000000044B6EE-mapping.dmp family_agenttesla behavioral1/memory/1820-71-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1820-73-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
ce10gm3d.swj.exepid process 1820 ce10gm3d.swj.exe -
Drops startup file 2 IoCs
Processes:
ce10gm3d.swj.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe ce10gm3d.swj.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe ce10gm3d.swj.exe -
Loads dropped DLL 1 IoCs
Processes:
ce10gm3d.swj.exepid process 1312 ce10gm3d.swj.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ce10gm3d.swj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ce10gm3d.swj.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ce10gm3d.swj.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ce10gm3d.swj.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ce10gm3d.swj.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ABwoZCfT = "C:\\Users\\Admin\\AppData\\Roaming\\jeOTzXD\\kMCKB.exe" ce10gm3d.swj.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ce10gm3d.swj.exedescription pid process target process PID 1312 set thread context of 1820 1312 ce10gm3d.swj.exe ce10gm3d.swj.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
ce10gm3d.swj.exece10gm3d.swj.exepid process 1312 ce10gm3d.swj.exe 1312 ce10gm3d.swj.exe 1312 ce10gm3d.swj.exe 1312 ce10gm3d.swj.exe 1312 ce10gm3d.swj.exe 1312 ce10gm3d.swj.exe 1312 ce10gm3d.swj.exe 1312 ce10gm3d.swj.exe 1312 ce10gm3d.swj.exe 1312 ce10gm3d.swj.exe 1820 ce10gm3d.swj.exe 1820 ce10gm3d.swj.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ce10gm3d.swj.exece10gm3d.swj.exedescription pid process Token: SeDebugPrivilege 1312 ce10gm3d.swj.exe Token: SeDebugPrivilege 1820 ce10gm3d.swj.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ce10gm3d.swj.exepid process 1820 ce10gm3d.swj.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ce10gm3d.swj.exece10gm3d.swj.exedescription pid process target process PID 1312 wrote to memory of 1820 1312 ce10gm3d.swj.exe ce10gm3d.swj.exe PID 1312 wrote to memory of 1820 1312 ce10gm3d.swj.exe ce10gm3d.swj.exe PID 1312 wrote to memory of 1820 1312 ce10gm3d.swj.exe ce10gm3d.swj.exe PID 1312 wrote to memory of 1820 1312 ce10gm3d.swj.exe ce10gm3d.swj.exe PID 1312 wrote to memory of 1820 1312 ce10gm3d.swj.exe ce10gm3d.swj.exe PID 1312 wrote to memory of 1820 1312 ce10gm3d.swj.exe ce10gm3d.swj.exe PID 1312 wrote to memory of 1820 1312 ce10gm3d.swj.exe ce10gm3d.swj.exe PID 1312 wrote to memory of 1820 1312 ce10gm3d.swj.exe ce10gm3d.swj.exe PID 1312 wrote to memory of 1820 1312 ce10gm3d.swj.exe ce10gm3d.swj.exe PID 1820 wrote to memory of 1940 1820 ce10gm3d.swj.exe netsh.exe PID 1820 wrote to memory of 1940 1820 ce10gm3d.swj.exe netsh.exe PID 1820 wrote to memory of 1940 1820 ce10gm3d.swj.exe netsh.exe PID 1820 wrote to memory of 1940 1820 ce10gm3d.swj.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
ce10gm3d.swj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ce10gm3d.swj.exe -
outlook_win_path 1 IoCs
Processes:
ce10gm3d.swj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ce10gm3d.swj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce10gm3d.swj.exe"C:\Users\Admin\AppData\Local\Temp\ce10gm3d.swj.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ce10gm3d.swj.exe"C:\Users\Admin\AppData\Local\Temp\ce10gm3d.swj.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ce10gm3d.swj.exeFilesize
427KB
MD5dce31d2eba49d580496fcb3124397a46
SHA193a9faa46033fd2513cdb5f621cd4b7038351867
SHA256847c47a4c1a5db11dd89626915bb922f8213bb5ab61d449857fbf62660a63dda
SHA51258340a4253882df7c02518ed41fc12c5aa713e71ec19f0e136b354712dcfe84424960e4edb6bd8e96f0966eda3f0be1a9306b584deb4a477afcbbfec0207e925
-
\Users\Admin\AppData\Local\Temp\ce10gm3d.swj.exeFilesize
427KB
MD5dce31d2eba49d580496fcb3124397a46
SHA193a9faa46033fd2513cdb5f621cd4b7038351867
SHA256847c47a4c1a5db11dd89626915bb922f8213bb5ab61d449857fbf62660a63dda
SHA51258340a4253882df7c02518ed41fc12c5aa713e71ec19f0e136b354712dcfe84424960e4edb6bd8e96f0966eda3f0be1a9306b584deb4a477afcbbfec0207e925
-
memory/1312-55-0x00000000004C0000-0x00000000004C8000-memory.dmpFilesize
32KB
-
memory/1312-56-0x0000000000B50000-0x0000000000BC2000-memory.dmpFilesize
456KB
-
memory/1312-57-0x0000000005EF0000-0x0000000005F42000-memory.dmpFilesize
328KB
-
memory/1312-58-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1312-59-0x00000000043C0000-0x00000000043D6000-memory.dmpFilesize
88KB
-
memory/1312-60-0x0000000006000000-0x0000000006014000-memory.dmpFilesize
80KB
-
memory/1312-54-0x0000000000E20000-0x0000000000E92000-memory.dmpFilesize
456KB
-
memory/1820-62-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1820-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1820-66-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1820-67-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1820-68-0x000000000044B6EE-mapping.dmp
-
memory/1820-63-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1820-71-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1820-73-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1940-75-0x0000000000000000-mapping.dmp