Overview

overview

10

Static

static

Ref02812041077.exe

windows7-x64

10

Ref02812041077.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2022 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ref02812041077.exe

  • Size

    2.1MB

  • MD5

    9fa9b26c4cd53dac25384bdcc23eb78e

  • SHA1

    90990676b8af8e355aef96951afd9e0ad8fbe4f8

  • SHA256

    caee2b09afaf3f24a972b3e8031b89088c68574541d115ab992a172a01d138f6

  • SHA512

    901e6ee9a81f6bc83f618b6ecb0b539dcb3cf1d1fdb5cfdfd9c5cc3e772580dc5ef4e8b59218c161f07171c7d1cbb70cfa69b7caa03a45429d05977d3112226f

  • SSDEEP

    49152:pN5rOMtg7+5O8g1x9+7W6Xl5qqTg0lvgtsfzdj2RJhrdU:p7rPDg1x9R6Xl53TgIH7dj25hU

Score
10/10
agentteslananocorecollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

http://195.178.120.72/ch1t/inc/c20966a2dd74ab.php

Extracted

Family

nanocore

Version

1.2.2.0

C2

rze6.sytes.net:8000

Mutex

0aeffa29-f3e3-4c27-b5c4-5ee7e27a451f

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2022-07-19T10:27:50.574421636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    8000

  • default_group

    OCT

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    0aeffa29-f3e3-4c27-b5c4-5ee7e27a451f

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    rze6.sytes.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ref02812041077.exe
    "C:\Users\Admin\AppData\Local\Temp\Ref02812041077.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Users\Admin\AppData\Local\temp\5_27\dsfg.exe
      "C:\Users\Admin\AppData\Local\temp\5_27\dsfg.exe" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\8_51\jdwqn.vbe"
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe
          "C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe" fucfmk.qxw
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
            "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:5112
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\5_27\rokqdg.vbe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Users\Admin\AppData\Local\Temp\5_27\qmmeoq.exe
        "C:\Users\Admin\AppData\Local\Temp\5_27\qmmeoq.exe" cvofsjhjdg.cgl
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3472
        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:3720

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5_27\aqrrtlpv.ppt
    Filesize

    68KB

    MD5

    1ee6f70fe08949bd42c31d47b601c571

    SHA1

    afa6f2ba2ad34cbf1fda3e9d8bb9b1f67585ea3e

    SHA256

    5df338a513df5fa2e91bcf1548bb01dbd402597dc76f66c87b49c9bae8d7027d

    SHA512

    b4564bef1fd9462a92365ff3f0627953df04163441b861e89bb3896a08ba47de48a569510deb78a5ed4f7fb358805b1cd1f7c8e6332ab6a6887393707bb49855

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5_27\cvofsjhjdg.cgl
    Filesize

    84.0MB

    MD5

    914100c14c1094ba87aa16f640b4ad85

    SHA1

    0fc433ff5714e00a7ec3260e6add20976a481aa3

    SHA256

    b720e0d7993033ca601956aeb059c8316a896269967607c52b8c7843e4d8c6b1

    SHA512

    ac51ed17ee302b1fa485a791d40acb57651b404ccf8ef7f6f0ce7a0b891c1f82b62711aadcd346276da05d9a9ce44385d7a7eafa9fc7a742290d4d30785c3635

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5_27\dsfg.exe
    Filesize

    1.1MB

    MD5

    c8e5ca487ff6781d2ec035c761b19b76

    SHA1

    c18bf2cd15ad9ff04f127fcc2b62791894f4de1e

    SHA256

    dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed

    SHA512

    2de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5_27\lxiu.lbj
    Filesize

    418KB

    MD5

    36a168a1aefeff15233b77907c97b336

    SHA1

    03e77806d64c6bbca865cb43b4359e9ac3022a51

    SHA256

    2283150c4dab436663c2244d780ccf4061db6b1450651aab5f477efbf57d31a0

    SHA512

    e80aef149ac00b3f35e12cd6ce394aff407e75375014a71f5d409ca1a04c569e83f0379e20e06a1f6b690db4e811c5a4d136632dc640a9529d99321482b0b6c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5_27\qmmeoq.exe
    Filesize

    1.1MB

    MD5

    fb6db1fb61e155a50123280708c1ff9c

    SHA1

    5109ea07812d945bc86f1324777710db5bef7391

    SHA256

    2687d111c581c53b020d28b863bc6c05d3bfb0398d0189888edf36ed296bcdbc

    SHA512

    b1843975674444586b84cb90ea3e89646f6ae28e15035b786572fd446f1300ad7193cdd9357e7f382550d8eb0ff8f659f2bf51fe02e8a867301b6746db702df5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5_27\qmmeoq.exe
    Filesize

    1.1MB

    MD5

    fb6db1fb61e155a50123280708c1ff9c

    SHA1

    5109ea07812d945bc86f1324777710db5bef7391

    SHA256

    2687d111c581c53b020d28b863bc6c05d3bfb0398d0189888edf36ed296bcdbc

    SHA512

    b1843975674444586b84cb90ea3e89646f6ae28e15035b786572fd446f1300ad7193cdd9357e7f382550d8eb0ff8f659f2bf51fe02e8a867301b6746db702df5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8_51\evjwxossb.dat
    Filesize

    48KB

    MD5

    e8904ec1444f4527fb8faf41e4f0cfbd

    SHA1

    6da7aceeeae8659f8eab1ef2f2660fa130cbfb7b

    SHA256

    98599b441a53b35e4992625a53fa22db0337579de0ba06157d6c0326d8b816a0

    SHA512

    7b118b32cce927eb311c5226c6deb4500df19b5f210651df6c9341248ecea5e93c8bb5169e1c6be6cdbc3704bbfcd45287ccf96683c2d623fd619f462f512470

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8_51\fucfmk.qxw
    Filesize

    99.8MB

    MD5

    d067a5c5a84af23f9380a2b59c8c8006

    SHA1

    4ba393ded67d3b5784244a0d2d033797696e8cc5

    SHA256

    c63f38a89c95cab7a0d8a8432ce60c57a3ec64031da4e9f0f0d5d096bd901568

    SHA512

    6ffff543660117af9acf7cbe3a6ff317badc53c9fa9dfb31d98820ac5b6b53494d87853bdb6b9359aa03513e7ac4a9a6eae0ecf48e10df43460d58bd21dfff34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8_51\gsbplmvv.dtk
    Filesize

    405KB

    MD5

    c748255ddb2d951339a6bbceea40eb78

    SHA1

    80c026ffa166f786b795f3926c1ed2420fc61e6c

    SHA256

    96151c55ca3b38e413efa9c8c15522db9e8c3769c5445711a9e1c3b1a689febb

    SHA512

    11380298aaa369b1211bb29ad1d29224ae137865058123f52be88a3ade9fec7c6ecc3e823b839e57ff5ae8b3b92d49facc4cf0099a89bc8079e885fa83e62032

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe
    Filesize

    1.1MB

    MD5

    2eacb18ce33c4c5a9070233449518081

    SHA1

    55820bec82c368a425f31019ea90844bb33ef200

    SHA256

    db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568

    SHA512

    c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe
    Filesize

    1.1MB

    MD5

    2eacb18ce33c4c5a9070233449518081

    SHA1

    55820bec82c368a425f31019ea90844bb33ef200

    SHA256

    db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568

    SHA512

    c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit

  • C:\Users\Admin\AppData\Local\temp\5_27\dsfg.exe
    Filesize

    1.1MB

    MD5

    c8e5ca487ff6781d2ec035c761b19b76

    SHA1

    c18bf2cd15ad9ff04f127fcc2b62791894f4de1e

    SHA256

    dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed

    SHA512

    2de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea

    Download Submit

  • C:\Users\Admin\AppData\Local\temp\5_27\rokqdg.vbe
    Filesize

    20KB

    MD5

    349b00371be9475a3f8064dbadbf37b3

    SHA1

    376d9f451d417ff505c69c61ea0f9266de47d6af

    SHA256

    72776a859c5122bf222050868f761e70582fceb7115cc3d03ed40b63cd9c0d14

    SHA512

    2508bc2bcebda659c251d24133018a1b62b1b4701f6bf4e96b8846d10cfb106d5a3a5158bfcadeb86d4811e4fe4505f8f7a1ab29869fb4e5344f27a7d19311d1

    Download Submit

  • C:\Users\Admin\AppData\Local\temp\8_51\jdwqn.vbe
    Filesize

    34KB

    MD5

    2b68f8d475481dd68bebaa0536b1eb7b

    SHA1

    d32e444134f3826bc705b1bbda6f3662901d876a

    SHA256

    1d0a8c3f9adeb45ee84311d1da67a378cf9a2d8c0ada2788fe12111741523376

    SHA512

    047ef190579e5edd5ce8c53af15cbd599e8b4ca2daa5e41f7e60b0c5bde312e06f158a71cd09f83f4df9897dc1b701264ca7f411d04777808303a4bf73fb9cc1

    Download Submit

  • memory/1128-132-0x0000000000000000-mapping.dmp

    Download

  • memory/2148-143-0x0000000000000000-mapping.dmp

    Download

  • memory/2168-138-0x0000000000000000-mapping.dmp

    Download

  • memory/3472-141-0x0000000000000000-mapping.dmp

    Download

  • memory/3720-154-0x0000000000D30000-0x0000000000D6A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3720-150-0x0000000000D659AE-mapping.dmp

    Download

  • memory/3720-156-0x00000000060C0000-0x0000000006664000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3720-149-0x0000000000D30000-0x000000000129A000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/3720-161-0x0000000005A00000-0x0000000005A9C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3720-162-0x0000000006030000-0x0000000006096000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3720-163-0x0000000006C60000-0x0000000006CB0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3720-164-0x0000000006F90000-0x0000000007022000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3720-165-0x0000000006F40000-0x0000000006F4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4864-135-0x0000000000000000-mapping.dmp

    Download

  • memory/5112-157-0x0000000000B00000-0x000000000121A000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/5112-158-0x0000000000B1E792-mapping.dmp

    Download

  • memory/5112-160-0x0000000000B00000-0x0000000000B38000-memory.dmp

    Filesize

    224KB

    Download