Analysis
-
max time kernel
139s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 08:38
Static task
static1
Behavioral task
behavioral1
Sample
d26c8282cb80ad25f07b769fb2152dff.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d26c8282cb80ad25f07b769fb2152dff.exe
Resource
win10v2004-20220901-en
General
-
Target
d26c8282cb80ad25f07b769fb2152dff.exe
-
Size
988KB
-
MD5
d26c8282cb80ad25f07b769fb2152dff
-
SHA1
a3f42a6f49f6219b3a5ba9e2f3ac3b80f7beee78
-
SHA256
3e8538df66efc0c110ba8bca5f3f6e02aefe24f80f622b97731f46f958803f86
-
SHA512
c3353e58905087155744fc25c978a61f28069d8108fe8fec971bdcaf58cb51ae193b6bd45005132250adc27e27b3ec1e4141c708267274d4738427c7f1329388
-
SSDEEP
12288:2S/nb8oh1rgtC0DagQY+5pJIUkjErhAQOV3a810F9+OToal1K4HTN:38ekagU5I5iAQO1CJl
Malware Config
Extracted
Protocol: ftp- Host:
192.3.223.202 - Port:
21 - Username:
ftplogs - Password:
sPkZ7jK7P6aA
Extracted
agenttesla
Protocol: ftp- Host:
ftp://192.3.223.202 - Port:
21 - Username:
ftplogs - Password:
sPkZ7jK7P6aA
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
d26c8282cb80ad25f07b769fb2152dff.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d26c8282cb80ad25f07b769fb2152dff.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d26c8282cb80ad25f07b769fb2152dff.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d26c8282cb80ad25f07b769fb2152dff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d26c8282cb80ad25f07b769fb2152dff.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hZpzJs = "C:\\Users\\Admin\\AppData\\Roaming\\hZpzJs\\hZpzJs.exe" d26c8282cb80ad25f07b769fb2152dff.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d26c8282cb80ad25f07b769fb2152dff.exedescription pid process target process PID 1424 set thread context of 1640 1424 d26c8282cb80ad25f07b769fb2152dff.exe d26c8282cb80ad25f07b769fb2152dff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
d26c8282cb80ad25f07b769fb2152dff.exed26c8282cb80ad25f07b769fb2152dff.exepowershell.exepid process 1424 d26c8282cb80ad25f07b769fb2152dff.exe 1424 d26c8282cb80ad25f07b769fb2152dff.exe 1424 d26c8282cb80ad25f07b769fb2152dff.exe 1424 d26c8282cb80ad25f07b769fb2152dff.exe 1424 d26c8282cb80ad25f07b769fb2152dff.exe 1640 d26c8282cb80ad25f07b769fb2152dff.exe 1640 d26c8282cb80ad25f07b769fb2152dff.exe 940 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
d26c8282cb80ad25f07b769fb2152dff.exepid process 1640 d26c8282cb80ad25f07b769fb2152dff.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
d26c8282cb80ad25f07b769fb2152dff.exed26c8282cb80ad25f07b769fb2152dff.exepowershell.exedescription pid process Token: SeDebugPrivilege 1424 d26c8282cb80ad25f07b769fb2152dff.exe Token: SeDebugPrivilege 1640 d26c8282cb80ad25f07b769fb2152dff.exe Token: SeDebugPrivilege 940 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
d26c8282cb80ad25f07b769fb2152dff.exedescription pid process target process PID 1424 wrote to memory of 940 1424 d26c8282cb80ad25f07b769fb2152dff.exe powershell.exe PID 1424 wrote to memory of 940 1424 d26c8282cb80ad25f07b769fb2152dff.exe powershell.exe PID 1424 wrote to memory of 940 1424 d26c8282cb80ad25f07b769fb2152dff.exe powershell.exe PID 1424 wrote to memory of 940 1424 d26c8282cb80ad25f07b769fb2152dff.exe powershell.exe PID 1424 wrote to memory of 960 1424 d26c8282cb80ad25f07b769fb2152dff.exe schtasks.exe PID 1424 wrote to memory of 960 1424 d26c8282cb80ad25f07b769fb2152dff.exe schtasks.exe PID 1424 wrote to memory of 960 1424 d26c8282cb80ad25f07b769fb2152dff.exe schtasks.exe PID 1424 wrote to memory of 960 1424 d26c8282cb80ad25f07b769fb2152dff.exe schtasks.exe PID 1424 wrote to memory of 1640 1424 d26c8282cb80ad25f07b769fb2152dff.exe d26c8282cb80ad25f07b769fb2152dff.exe PID 1424 wrote to memory of 1640 1424 d26c8282cb80ad25f07b769fb2152dff.exe d26c8282cb80ad25f07b769fb2152dff.exe PID 1424 wrote to memory of 1640 1424 d26c8282cb80ad25f07b769fb2152dff.exe d26c8282cb80ad25f07b769fb2152dff.exe PID 1424 wrote to memory of 1640 1424 d26c8282cb80ad25f07b769fb2152dff.exe d26c8282cb80ad25f07b769fb2152dff.exe PID 1424 wrote to memory of 1640 1424 d26c8282cb80ad25f07b769fb2152dff.exe d26c8282cb80ad25f07b769fb2152dff.exe PID 1424 wrote to memory of 1640 1424 d26c8282cb80ad25f07b769fb2152dff.exe d26c8282cb80ad25f07b769fb2152dff.exe PID 1424 wrote to memory of 1640 1424 d26c8282cb80ad25f07b769fb2152dff.exe d26c8282cb80ad25f07b769fb2152dff.exe PID 1424 wrote to memory of 1640 1424 d26c8282cb80ad25f07b769fb2152dff.exe d26c8282cb80ad25f07b769fb2152dff.exe PID 1424 wrote to memory of 1640 1424 d26c8282cb80ad25f07b769fb2152dff.exe d26c8282cb80ad25f07b769fb2152dff.exe -
outlook_office_path 1 IoCs
Processes:
d26c8282cb80ad25f07b769fb2152dff.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d26c8282cb80ad25f07b769fb2152dff.exe -
outlook_win_path 1 IoCs
Processes:
d26c8282cb80ad25f07b769fb2152dff.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d26c8282cb80ad25f07b769fb2152dff.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d26c8282cb80ad25f07b769fb2152dff.exe"C:\Users\Admin\AppData\Local\Temp\d26c8282cb80ad25f07b769fb2152dff.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JeHBvjHuYEfr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JeHBvjHuYEfr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8C5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\d26c8282cb80ad25f07b769fb2152dff.exe"C:\Users\Admin\AppData\Local\Temp\d26c8282cb80ad25f07b769fb2152dff.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB8C5.tmpFilesize
1KB
MD5cca3f00e4e9ed0a46aefe04af81e2281
SHA18515b3c7ecfe7a7008e599b798d79120415e7a0a
SHA256db612e414e45e8abb7de4768783873ecbb255346b62e5bfb77be1e984fef2e77
SHA51293fe6fe9ec38733458a607eeb1e1c8ff8970407fa26727aaa9ab09bf705294a0530942296c5eb293de4051cb62eeda119e8b74aa5562141e5ca6bcf9dda97894
-
memory/940-59-0x0000000000000000-mapping.dmp
-
memory/940-77-0x000000006E940000-0x000000006EEEB000-memory.dmpFilesize
5.7MB
-
memory/940-76-0x000000006E940000-0x000000006EEEB000-memory.dmpFilesize
5.7MB
-
memory/960-60-0x0000000000000000-mapping.dmp
-
memory/1424-63-0x0000000004760000-0x000000000479A000-memory.dmpFilesize
232KB
-
memory/1424-58-0x00000000050B0000-0x0000000005144000-memory.dmpFilesize
592KB
-
memory/1424-57-0x00000000007F0000-0x00000000007FC000-memory.dmpFilesize
48KB
-
memory/1424-54-0x00000000104A0000-0x000000001059A000-memory.dmpFilesize
1000KB
-
memory/1424-55-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/1424-56-0x0000000000780000-0x000000000079C000-memory.dmpFilesize
112KB
-
memory/1640-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1640-67-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1640-69-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1640-70-0x000000000043586E-mapping.dmp
-
memory/1640-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1640-74-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1640-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1640-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB