Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-10-2022 15:10
General
-
Target
Ref02812041077.exe
-
Size
2.1MB
-
MD5
9fa9b26c4cd53dac25384bdcc23eb78e
-
SHA1
90990676b8af8e355aef96951afd9e0ad8fbe4f8
-
SHA256
caee2b09afaf3f24a972b3e8031b89088c68574541d115ab992a172a01d138f6
-
SHA512
901e6ee9a81f6bc83f618b6ecb0b539dcb3cf1d1fdb5cfdfd9c5cc3e772580dc5ef4e8b59218c161f07171c7d1cbb70cfa69b7caa03a45429d05977d3112226f
-
SSDEEP
49152:pN5rOMtg7+5O8g1x9+7W6Xl5qqTg0lvgtsfzdj2RJhrdU:p7rPDg1x9R6Xl53TgIH7dj25hU
Malware Config
Extracted
agenttesla
http://195.178.120.72/ch1t/inc/c20966a2dd74ab.php
Extracted
nanocore
1.2.2.0
rze6.sytes.net:8000
0aeffa29-f3e3-4c27-b5c4-5ee7e27a451f
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-19T10:27:50.574421636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8000
-
default_group
OCT
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0aeffa29-f3e3-4c27-b5c4-5ee7e27a451f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
rze6.sytes.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Executes dropped EXE 5 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ref02812041077.exe"C:\Users\Admin\AppData\Local\Temp\Ref02812041077.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\temp\5_27\dsfg.exe"C:\Users\Admin\AppData\Local\temp\5_27\dsfg.exe" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\8_51\jdwqn.vbe"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe"C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe" fucfmk.qxw4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\5_27\rokqdg.vbe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5_27\qmmeoq.exe"C:\Users\Admin\AppData\Local\Temp\5_27\qmmeoq.exe" cvofsjhjdg.cgl3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5_27\aqrrtlpv.pptFilesize
68KB
MD51ee6f70fe08949bd42c31d47b601c571
SHA1afa6f2ba2ad34cbf1fda3e9d8bb9b1f67585ea3e
SHA2565df338a513df5fa2e91bcf1548bb01dbd402597dc76f66c87b49c9bae8d7027d
SHA512b4564bef1fd9462a92365ff3f0627953df04163441b861e89bb3896a08ba47de48a569510deb78a5ed4f7fb358805b1cd1f7c8e6332ab6a6887393707bb49855
-
C:\Users\Admin\AppData\Local\Temp\5_27\cvofsjhjdg.cglFilesize
84.0MB
MD5914100c14c1094ba87aa16f640b4ad85
SHA10fc433ff5714e00a7ec3260e6add20976a481aa3
SHA256b720e0d7993033ca601956aeb059c8316a896269967607c52b8c7843e4d8c6b1
SHA512ac51ed17ee302b1fa485a791d40acb57651b404ccf8ef7f6f0ce7a0b891c1f82b62711aadcd346276da05d9a9ce44385d7a7eafa9fc7a742290d4d30785c3635
-
C:\Users\Admin\AppData\Local\Temp\5_27\dsfg.exeFilesize
1.1MB
MD5c8e5ca487ff6781d2ec035c761b19b76
SHA1c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA5122de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea
-
C:\Users\Admin\AppData\Local\Temp\5_27\lxiu.lbjFilesize
418KB
MD536a168a1aefeff15233b77907c97b336
SHA103e77806d64c6bbca865cb43b4359e9ac3022a51
SHA2562283150c4dab436663c2244d780ccf4061db6b1450651aab5f477efbf57d31a0
SHA512e80aef149ac00b3f35e12cd6ce394aff407e75375014a71f5d409ca1a04c569e83f0379e20e06a1f6b690db4e811c5a4d136632dc640a9529d99321482b0b6c8
-
C:\Users\Admin\AppData\Local\Temp\5_27\qmmeoq.exeFilesize
1.1MB
MD5fb6db1fb61e155a50123280708c1ff9c
SHA15109ea07812d945bc86f1324777710db5bef7391
SHA2562687d111c581c53b020d28b863bc6c05d3bfb0398d0189888edf36ed296bcdbc
SHA512b1843975674444586b84cb90ea3e89646f6ae28e15035b786572fd446f1300ad7193cdd9357e7f382550d8eb0ff8f659f2bf51fe02e8a867301b6746db702df5
-
C:\Users\Admin\AppData\Local\Temp\5_27\qmmeoq.exeFilesize
1.1MB
MD5fb6db1fb61e155a50123280708c1ff9c
SHA15109ea07812d945bc86f1324777710db5bef7391
SHA2562687d111c581c53b020d28b863bc6c05d3bfb0398d0189888edf36ed296bcdbc
SHA512b1843975674444586b84cb90ea3e89646f6ae28e15035b786572fd446f1300ad7193cdd9357e7f382550d8eb0ff8f659f2bf51fe02e8a867301b6746db702df5
-
C:\Users\Admin\AppData\Local\Temp\8_51\evjwxossb.datFilesize
48KB
MD5e8904ec1444f4527fb8faf41e4f0cfbd
SHA16da7aceeeae8659f8eab1ef2f2660fa130cbfb7b
SHA25698599b441a53b35e4992625a53fa22db0337579de0ba06157d6c0326d8b816a0
SHA5127b118b32cce927eb311c5226c6deb4500df19b5f210651df6c9341248ecea5e93c8bb5169e1c6be6cdbc3704bbfcd45287ccf96683c2d623fd619f462f512470
-
C:\Users\Admin\AppData\Local\Temp\8_51\fucfmk.qxwFilesize
99.8MB
MD5d067a5c5a84af23f9380a2b59c8c8006
SHA14ba393ded67d3b5784244a0d2d033797696e8cc5
SHA256c63f38a89c95cab7a0d8a8432ce60c57a3ec64031da4e9f0f0d5d096bd901568
SHA5126ffff543660117af9acf7cbe3a6ff317badc53c9fa9dfb31d98820ac5b6b53494d87853bdb6b9359aa03513e7ac4a9a6eae0ecf48e10df43460d58bd21dfff34
-
C:\Users\Admin\AppData\Local\Temp\8_51\gsbplmvv.dtkFilesize
405KB
MD5c748255ddb2d951339a6bbceea40eb78
SHA180c026ffa166f786b795f3926c1ed2420fc61e6c
SHA25696151c55ca3b38e413efa9c8c15522db9e8c3769c5445711a9e1c3b1a689febb
SHA51211380298aaa369b1211bb29ad1d29224ae137865058123f52be88a3ade9fec7c6ecc3e823b839e57ff5ae8b3b92d49facc4cf0099a89bc8079e885fa83e62032
-
C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exeFilesize
1.1MB
MD52eacb18ce33c4c5a9070233449518081
SHA155820bec82c368a425f31019ea90844bb33ef200
SHA256db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264
-
C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exeFilesize
1.1MB
MD52eacb18ce33c4c5a9070233449518081
SHA155820bec82c368a425f31019ea90844bb33ef200
SHA256db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\temp\5_27\dsfg.exeFilesize
1.1MB
MD5c8e5ca487ff6781d2ec035c761b19b76
SHA1c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA5122de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea
-
C:\Users\Admin\AppData\Local\temp\5_27\rokqdg.vbeFilesize
20KB
MD5349b00371be9475a3f8064dbadbf37b3
SHA1376d9f451d417ff505c69c61ea0f9266de47d6af
SHA25672776a859c5122bf222050868f761e70582fceb7115cc3d03ed40b63cd9c0d14
SHA5122508bc2bcebda659c251d24133018a1b62b1b4701f6bf4e96b8846d10cfb106d5a3a5158bfcadeb86d4811e4fe4505f8f7a1ab29869fb4e5344f27a7d19311d1
-
C:\Users\Admin\AppData\Local\temp\8_51\jdwqn.vbeFilesize
34KB
MD52b68f8d475481dd68bebaa0536b1eb7b
SHA1d32e444134f3826bc705b1bbda6f3662901d876a
SHA2561d0a8c3f9adeb45ee84311d1da67a378cf9a2d8c0ada2788fe12111741523376
SHA512047ef190579e5edd5ce8c53af15cbd599e8b4ca2daa5e41f7e60b0c5bde312e06f158a71cd09f83f4df9897dc1b701264ca7f411d04777808303a4bf73fb9cc1
-
memory/1128-132-0x0000000000000000-mapping.dmp
-
memory/2148-143-0x0000000000000000-mapping.dmp
-
memory/2168-138-0x0000000000000000-mapping.dmp
-
memory/3472-141-0x0000000000000000-mapping.dmp
-
memory/3720-154-0x0000000000D30000-0x0000000000D6A000-memory.dmpFilesize
232KB
-
memory/3720-150-0x0000000000D659AE-mapping.dmp
-
memory/3720-156-0x00000000060C0000-0x0000000006664000-memory.dmpFilesize
5.6MB
-
memory/3720-149-0x0000000000D30000-0x000000000129A000-memory.dmpFilesize
5.4MB
-
memory/3720-161-0x0000000005A00000-0x0000000005A9C000-memory.dmpFilesize
624KB
-
memory/3720-162-0x0000000006030000-0x0000000006096000-memory.dmpFilesize
408KB
-
memory/3720-163-0x0000000006C60000-0x0000000006CB0000-memory.dmpFilesize
320KB
-
memory/3720-164-0x0000000006F90000-0x0000000007022000-memory.dmpFilesize
584KB
-
memory/3720-165-0x0000000006F40000-0x0000000006F4A000-memory.dmpFilesize
40KB
-
memory/4864-135-0x0000000000000000-mapping.dmp
-
memory/5112-157-0x0000000000B00000-0x000000000121A000-memory.dmpFilesize
7.1MB
-
memory/5112-158-0x0000000000B1E792-mapping.dmp
-
memory/5112-160-0x0000000000B00000-0x0000000000B38000-memory.dmpFilesize
224KB