Analysis
-
max time kernel
72s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:51
Behavioral task
behavioral1
Sample
duk (3).exe
Resource
win7-20220414-en
General
-
Target
duk (3).exe
-
Size
511KB
-
MD5
04b191c4242a98c5b14ed1de9c61ef8c
-
SHA1
4c4fafb67933eb18100acdc76128f42dc9a9525f
-
SHA256
bbfd3959ef22e9fa18ed11cbc9b8f31ac36e86f0d055d2c57b81ee19f9c54175
-
SHA512
c613ece1002132dfacf60eb41a0d1910e3e3c314db9b53f13b9e9eb34c4db9553538f3fc12f22c3ddf5ca705a53f64517783b292c240c20ec0d002a8e202144b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.hotel71.com.bd - Port:
587 - Username:
chat@hotel71.com.bd - Password:
9+^va&phP1v9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1304-56-0x00000000002E0000-0x00000000002E8000-memory.dmp coreentity -
SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1008-61-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1008-62-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1008-63-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1008-64-0x000000000044AC5E-mapping.dmp family_agenttesla behavioral1/memory/1008-66-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1008-68-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Contains SnakeBOT related strings 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1304-54-0x0000000000250000-0x00000000002DA000-memory.dmp snakebot_strings -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1304-57-0x0000000007690000-0x00000000076E8000-memory.dmp rezer0 -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
duk (3).exedescription pid process target process PID 1304 set thread context of 1008 1304 duk (3).exe RegSvcs.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1008 RegSvcs.exe 1008 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
duk (3).exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1304 duk (3).exe Token: SeDebugPrivilege 1008 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
duk (3).exepid process 1304 duk (3).exe 1304 duk (3).exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
duk (3).exeRegSvcs.exedescription pid process target process PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1304 wrote to memory of 1008 1304 duk (3).exe RegSvcs.exe PID 1008 wrote to memory of 900 1008 RegSvcs.exe REG.exe PID 1008 wrote to memory of 900 1008 RegSvcs.exe REG.exe PID 1008 wrote to memory of 900 1008 RegSvcs.exe REG.exe PID 1008 wrote to memory of 900 1008 RegSvcs.exe REG.exe PID 1008 wrote to memory of 1716 1008 RegSvcs.exe netsh.exe PID 1008 wrote to memory of 1716 1008 RegSvcs.exe netsh.exe PID 1008 wrote to memory of 1716 1008 RegSvcs.exe netsh.exe PID 1008 wrote to memory of 1716 1008 RegSvcs.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\duk (3).exe"C:\Users\Admin\AppData\Local\Temp\duk (3).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-70-0x0000000000000000-mapping.dmp
-
memory/1008-64-0x000000000044AC5E-mapping.dmp
-
memory/1008-58-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1008-59-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1008-61-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1008-62-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1008-63-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1008-66-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1008-68-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1304-56-0x00000000002E0000-0x00000000002E8000-memory.dmpFilesize
32KB
-
memory/1304-57-0x0000000007690000-0x00000000076E8000-memory.dmpFilesize
352KB
-
memory/1304-54-0x0000000000250000-0x00000000002DA000-memory.dmpFilesize
552KB
-
memory/1304-55-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1716-71-0x0000000000000000-mapping.dmp