Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 17:08
General
-
Target
18d5927d197f41af4d9b16621b0515a6.exe
-
Size
172KB
-
MD5
18d5927d197f41af4d9b16621b0515a6
-
SHA1
d2f4345de440d781b22f3ecf5b922783b4264bdd
-
SHA256
613113ce85195ad4ee1d48d212424be5719d697429f2cfe422752e056d2236c0
-
SHA512
60dde5e043e91469135829aa1590d7e505644fa22a675a205e5cc40e507b27b06e6fcfcc418b72fc8752a788ce51fd8ee3919fa4534ae94bf889db948b50e24b
Malware Config
Extracted
agenttesla
http://136.144.41.76/bray/inc/a4a9ffb236214a.php
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:1111
62.197.136.167:6606
62.197.136.167:7707
62.197.136.167:8808
62.197.136.167:1111
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
suricata: ET MALWARE AgentTesla Communicating with CnC Server
suricata: ET MALWARE AgentTesla Communicating with CnC Server
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 6 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d5927d197f41af4d9b16621b0515a6.exe"C:\Users\Admin\AppData\Local\Temp\18d5927d197f41af4d9b16621b0515a6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe"C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exeFilesize
172KB
MD5982f97ccf89f9d50dbc5d152c7139a50
SHA10ba6c448dd8566a1196e642ef1d834d55bf6e3e6
SHA256f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152
SHA512c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1
-
C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exeFilesize
172KB
MD5982f97ccf89f9d50dbc5d152c7139a50
SHA10ba6c448dd8566a1196e642ef1d834d55bf6e3e6
SHA256f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152
SHA512c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5d9e405d9941852c2ae79beb3c25a7eda
SHA1b9c4e9e2690b9d2c3116bfaa452870de6c930b3c
SHA25677434c61e67274ccddf9422a7e2723b6c30fccaeef2609977b2b5524353f05f6
SHA5120e0d1c32a9a7a1fb1960ff42a4c894ce734c129ff7ee22457a96328d4fbb4fc95ad11ac32761389127f5d3db3114d058a5a76973766762dadaf07dfcf00dc6bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5d9e405d9941852c2ae79beb3c25a7eda
SHA1b9c4e9e2690b9d2c3116bfaa452870de6c930b3c
SHA25677434c61e67274ccddf9422a7e2723b6c30fccaeef2609977b2b5524353f05f6
SHA5120e0d1c32a9a7a1fb1960ff42a4c894ce734c129ff7ee22457a96328d4fbb4fc95ad11ac32761389127f5d3db3114d058a5a76973766762dadaf07dfcf00dc6bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5d9e405d9941852c2ae79beb3c25a7eda
SHA1b9c4e9e2690b9d2c3116bfaa452870de6c930b3c
SHA25677434c61e67274ccddf9422a7e2723b6c30fccaeef2609977b2b5524353f05f6
SHA5120e0d1c32a9a7a1fb1960ff42a4c894ce734c129ff7ee22457a96328d4fbb4fc95ad11ac32761389127f5d3db3114d058a5a76973766762dadaf07dfcf00dc6bf
-
C:\Users\Admin\AppData\Roaming\Tupbtqbro\Aeigqqh.exeFilesize
172KB
MD5982f97ccf89f9d50dbc5d152c7139a50
SHA10ba6c448dd8566a1196e642ef1d834d55bf6e3e6
SHA256f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152
SHA512c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\Crstwuze5m.exeFilesize
172KB
MD5982f97ccf89f9d50dbc5d152c7139a50
SHA10ba6c448dd8566a1196e642ef1d834d55bf6e3e6
SHA256f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152
SHA512c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1
-
memory/1096-66-0x000000006F580000-0x000000006FB2B000-memory.dmpFilesize
5.7MB
-
memory/1096-62-0x0000000000000000-mapping.dmp
-
memory/1096-65-0x000000006F580000-0x000000006FB2B000-memory.dmpFilesize
5.7MB
-
memory/1152-68-0x0000000000000000-mapping.dmp
-
memory/1152-90-0x0000000006020000-0x00000000060E4000-memory.dmpFilesize
784KB
-
memory/1152-71-0x0000000000AA0000-0x0000000000AD0000-memory.dmpFilesize
192KB
-
memory/1164-76-0x000000006F580000-0x000000006FB2B000-memory.dmpFilesize
5.7MB
-
memory/1164-89-0x000000006F580000-0x000000006FB2B000-memory.dmpFilesize
5.7MB
-
memory/1164-73-0x0000000000000000-mapping.dmp
-
memory/1192-99-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1192-104-0x000000000040C75E-mapping.dmp
-
memory/1192-98-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1192-103-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1192-101-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1192-102-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1192-108-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1192-106-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1276-59-0x000000006F580000-0x000000006FB2B000-memory.dmpFilesize
5.7MB
-
memory/1276-56-0x0000000000000000-mapping.dmp
-
memory/1276-58-0x000000006F580000-0x000000006FB2B000-memory.dmpFilesize
5.7MB
-
memory/1416-96-0x000000006F580000-0x000000006FB2B000-memory.dmpFilesize
5.7MB
-
memory/1416-95-0x000000006F580000-0x000000006FB2B000-memory.dmpFilesize
5.7MB
-
memory/1416-91-0x0000000000000000-mapping.dmp
-
memory/1832-82-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1832-87-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1832-83-0x0000000000435D8E-mapping.dmp
-
memory/1832-85-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1832-81-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1832-80-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1832-78-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1832-77-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1936-55-0x0000000074DD1000-0x0000000074DD3000-memory.dmpFilesize
8KB
-
memory/1936-60-0x0000000005C60000-0x0000000005D38000-memory.dmpFilesize
864KB
-
memory/1936-61-0x00000000047A0000-0x00000000047EC000-memory.dmpFilesize
304KB
-
memory/1936-54-0x0000000000D80000-0x0000000000DB0000-memory.dmpFilesize
192KB