Analysis
-
max time kernel
101s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
26-07-2022 19:51
Static task
static1
Behavioral task
behavioral1
Sample
D6GEVBNNH11111.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
D6GEVBNNH11111.exe
Resource
win10v2004-20220721-en
General
-
Target
D6GEVBNNH11111.exe
-
Size
625KB
-
MD5
9cef8265c679bafb06f885678ceab7bd
-
SHA1
ac7faaa7e8439951eaafd8e02007f33a555cd01b
-
SHA256
18f7c9fcf55206644996038b2908aa3871e3ea9affa4c6d62a7460f5b95cca90
-
SHA512
ab176b5348a6a69752eb9e47e2ed11f5130a02104f38932f6f88058bed797e0ab8ffabe665c353ba174788cf60d3114961554ce41bef850c4161cc9316451533
Malware Config
Extracted
Protocol: smtp- Host:
multimetals.cfd - Port:
587 - Username:
logs@multimetals.cfd - Password:
logs@multimetals.cfd
Extracted
agenttesla
Protocol: smtp- Host:
multimetals.cfd - Port:
587 - Username:
application/x-www-form-urlencoded - Password:
logs@multimetals.cfd - Email To:
asset@multimetals.cfd
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
InstallUtil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrobat = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat\\Acrobat.exe" InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
geater.exedescription pid process target process PID 1144 set thread context of 1052 1144 geater.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
D6GEVBNNH11111.exegeater.exeInstallUtil.exepid process 2012 D6GEVBNNH11111.exe 1144 geater.exe 1144 geater.exe 1052 InstallUtil.exe 1052 InstallUtil.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
D6GEVBNNH11111.exepid process 2012 D6GEVBNNH11111.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
D6GEVBNNH11111.exegeater.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 2012 D6GEVBNNH11111.exe Token: SeDebugPrivilege 1144 geater.exe Token: SeDebugPrivilege 1052 InstallUtil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
D6GEVBNNH11111.exegeater.exedescription pid process target process PID 2012 wrote to memory of 1144 2012 D6GEVBNNH11111.exe geater.exe PID 2012 wrote to memory of 1144 2012 D6GEVBNNH11111.exe geater.exe PID 2012 wrote to memory of 1144 2012 D6GEVBNNH11111.exe geater.exe PID 2012 wrote to memory of 1144 2012 D6GEVBNNH11111.exe geater.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe PID 1144 wrote to memory of 1052 1144 geater.exe InstallUtil.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\D6GEVBNNH11111.exe"C:\Users\Admin\AppData\Local\Temp\D6GEVBNNH11111.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\geater.exe"C:\Users\Admin\AppData\Local\Temp\geater.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1052-63-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1052-70-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1052-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1052-68-0x0000000000435D3E-mapping.dmp
-
memory/1052-67-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1052-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1052-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1052-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1144-61-0x0000000000CE0000-0x0000000000CE6000-memory.dmpFilesize
24KB
-
memory/1144-60-0x0000000000B50000-0x0000000000B6A000-memory.dmpFilesize
104KB
-
memory/1144-58-0x0000000000000000-mapping.dmp
-
memory/2012-54-0x0000000000DE0000-0x0000000000E82000-memory.dmpFilesize
648KB
-
memory/2012-57-0x0000000000550000-0x0000000000568000-memory.dmpFilesize
96KB
-
memory/2012-56-0x00000000005B0000-0x00000000005E0000-memory.dmpFilesize
192KB
-
memory/2012-55-0x0000000075791000-0x0000000075793000-memory.dmpFilesize
8KB