Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14/11/2022, 18:59
Static task
static1
Behavioral task
behavioral1
Sample
96edcd46e58edf1240c2e4873fcdb388.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
96edcd46e58edf1240c2e4873fcdb388.exe
Resource
win10v2004-20220901-en
General
-
Target
96edcd46e58edf1240c2e4873fcdb388.exe
-
Size
2.1MB
-
MD5
3ea3298d807b865a2efd07a9fb0f3d3b
-
SHA1
6f5fe17c8077679be4c5f0f03e4565dc981e6ae5
-
SHA256
954d2c18ef0e7d5dbbded7e1a565e6eeb9007347ab22a1448000363d2269fb8a
-
SHA512
728eecbd2f4c47cfcc5fd82dc3673fd3a965e76212233ea2228285100fb2c680d4269b70e7ccc03eb54d532512fbc97edc232aeed80b39d7a657b0c1ac935aa4
-
SSDEEP
49152:prY2CCChx9+7Wll5qqTg0lvgtsfzdj2RJhrdQ:prYiAx9Rll53TgIH7dj25hQ
Malware Config
Extracted
nanocore
1.2.2.0
rze6.sytes.net:8000
0aeffa29-f3e3-4c27-b5c4-5ee7e27a451f
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-19T10:27:50.574421636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8000
-
default_group
OCT
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0aeffa29-f3e3-4c27-b5c4-5ee7e27a451f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
rze6.sytes.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
agenttesla
http://195.178.120.72/3ip/inc/523ecb38582a9c.php
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 5 IoCs
pid Process 4796 dsfg.exe 1748 hege.exe 940 ixvxuwek.exe 2320 RegSvcs.exe 2204 RegSvcs.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 96edcd46e58edf1240c2e4873fcdb388.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dsfg.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk hege.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk hege.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run hege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\hege.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\mnqlt.wgc" hege.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce hege.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\1_36 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\start.vbs" hege.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 940 set thread context of 2320 940 ixvxuwek.exe 88 PID 1748 set thread context of 2204 1748 hege.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings dsfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 96edcd46e58edf1240c2e4873fcdb388.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1748 hege.exe 1748 hege.exe 1748 hege.exe 1748 hege.exe 1748 hege.exe 1748 hege.exe 1748 hege.exe 1748 hege.exe 1748 hege.exe 1748 hege.exe 1748 hege.exe 1748 hege.exe 2320 RegSvcs.exe 2320 RegSvcs.exe 2320 RegSvcs.exe 2320 RegSvcs.exe 2204 RegSvcs.exe 2204 RegSvcs.exe 2204 RegSvcs.exe 2204 RegSvcs.exe 2204 RegSvcs.exe 2204 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2204 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2204 RegSvcs.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4904 wrote to memory of 4796 4904 96edcd46e58edf1240c2e4873fcdb388.exe 80 PID 4904 wrote to memory of 4796 4904 96edcd46e58edf1240c2e4873fcdb388.exe 80 PID 4904 wrote to memory of 4796 4904 96edcd46e58edf1240c2e4873fcdb388.exe 80 PID 4904 wrote to memory of 620 4904 96edcd46e58edf1240c2e4873fcdb388.exe 82 PID 4904 wrote to memory of 620 4904 96edcd46e58edf1240c2e4873fcdb388.exe 82 PID 4904 wrote to memory of 620 4904 96edcd46e58edf1240c2e4873fcdb388.exe 82 PID 4796 wrote to memory of 2704 4796 dsfg.exe 83 PID 4796 wrote to memory of 2704 4796 dsfg.exe 83 PID 4796 wrote to memory of 2704 4796 dsfg.exe 83 PID 620 wrote to memory of 1748 620 WScript.exe 84 PID 620 wrote to memory of 1748 620 WScript.exe 84 PID 620 wrote to memory of 1748 620 WScript.exe 84 PID 2704 wrote to memory of 940 2704 WScript.exe 85 PID 2704 wrote to memory of 940 2704 WScript.exe 85 PID 2704 wrote to memory of 940 2704 WScript.exe 85 PID 940 wrote to memory of 2320 940 ixvxuwek.exe 88 PID 940 wrote to memory of 2320 940 ixvxuwek.exe 88 PID 940 wrote to memory of 2320 940 ixvxuwek.exe 88 PID 940 wrote to memory of 2320 940 ixvxuwek.exe 88 PID 940 wrote to memory of 2320 940 ixvxuwek.exe 88 PID 1748 wrote to memory of 2204 1748 hege.exe 90 PID 1748 wrote to memory of 2204 1748 hege.exe 90 PID 1748 wrote to memory of 2204 1748 hege.exe 90 PID 1748 wrote to memory of 2204 1748 hege.exe 90 PID 1748 wrote to memory of 2204 1748 hege.exe 90 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe"C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe"C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\8_51\jdwqn.vbe"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe"C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe" fucfmk.qxw4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2320
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\1_36\ufmf.vbe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe"C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe" mnqlt.wgc3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2204
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5c8e5ca487ff6781d2ec035c761b19b76
SHA1c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA5122de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea
-
Filesize
1.1MB
MD544feac1004f49cb51e6f1bd87c1cb84e
SHA1fac794576fe8136cbd4e11a75b567d32bb7c70ec
SHA256666927280f6e1e15276a471722f6cd6c2da204fb0c399e80d8d3a617fdf4c8fc
SHA512432f180ef8c864c70d9acefc796a9d05f576f5d5f4ddb31dcd633441c276d99e6bfe95191f210fca59ea9fd5c0336aa4d6f78a6a7f3e6675435544ee4ba586f2
-
Filesize
1.1MB
MD544feac1004f49cb51e6f1bd87c1cb84e
SHA1fac794576fe8136cbd4e11a75b567d32bb7c70ec
SHA256666927280f6e1e15276a471722f6cd6c2da204fb0c399e80d8d3a617fdf4c8fc
SHA512432f180ef8c864c70d9acefc796a9d05f576f5d5f4ddb31dcd633441c276d99e6bfe95191f210fca59ea9fd5c0336aa4d6f78a6a7f3e6675435544ee4ba586f2
-
Filesize
418KB
MD59e4a8690483334efebb30c429d6fc40b
SHA19614746bbf68eb7f7bd33a66a3303df6f41c07a9
SHA256a2828b554e7b93d1df47d3edc54446f018dac886ae7536a9bc3a486af1e4ee0f
SHA5126e62f212bd523bbd7836ca17960c440a2503564b10d74c82827c11aec5f91fc144d3506051e2f4001eb4293eb21136f649ef7915a72e80e0ea0c22b6fd9f02cd
-
Filesize
108.1MB
MD5898af92a3eeeae416191d38caa837a46
SHA163d1b35d2d39530a60bf975be479878ba0f2b2a9
SHA25652f6d5aa3bb72c018b49d3cdc7b451e337b420cf684444dc8c510ce92fa5482a
SHA51203e923aa1ca0ed7c0f6eaa46cc29cdf1d9cb82993265a4919585bb8b494c61721b37abe5bfe3e6fa05d6649b9ca04d3debc0e94099c2528030118f25f7147aa2
-
Filesize
55KB
MD5569a476fd4914959b107f46ff369fa5b
SHA13bd88989da2d75d13823def81d57deb65d1a3be3
SHA256af9ba53689747783e7de72fbf649a04fdbe1015f66c75156c389824a8c13cf85
SHA51286d6ca086734aa961024eea47c9b321705767dba9fe90b1f82fd0b514f0dc7ace168da68bcf7d4e756c5693a6bc760eb44f02f295a1b1c1fb517bdf2c6742bf3
-
Filesize
48KB
MD5e8904ec1444f4527fb8faf41e4f0cfbd
SHA16da7aceeeae8659f8eab1ef2f2660fa130cbfb7b
SHA25698599b441a53b35e4992625a53fa22db0337579de0ba06157d6c0326d8b816a0
SHA5127b118b32cce927eb311c5226c6deb4500df19b5f210651df6c9341248ecea5e93c8bb5169e1c6be6cdbc3704bbfcd45287ccf96683c2d623fd619f462f512470
-
Filesize
99.8MB
MD5d067a5c5a84af23f9380a2b59c8c8006
SHA14ba393ded67d3b5784244a0d2d033797696e8cc5
SHA256c63f38a89c95cab7a0d8a8432ce60c57a3ec64031da4e9f0f0d5d096bd901568
SHA5126ffff543660117af9acf7cbe3a6ff317badc53c9fa9dfb31d98820ac5b6b53494d87853bdb6b9359aa03513e7ac4a9a6eae0ecf48e10df43460d58bd21dfff34
-
Filesize
405KB
MD5c748255ddb2d951339a6bbceea40eb78
SHA180c026ffa166f786b795f3926c1ed2420fc61e6c
SHA25696151c55ca3b38e413efa9c8c15522db9e8c3769c5445711a9e1c3b1a689febb
SHA51211380298aaa369b1211bb29ad1d29224ae137865058123f52be88a3ade9fec7c6ecc3e823b839e57ff5ae8b3b92d49facc4cf0099a89bc8079e885fa83e62032
-
Filesize
1.1MB
MD52eacb18ce33c4c5a9070233449518081
SHA155820bec82c368a425f31019ea90844bb33ef200
SHA256db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264
-
Filesize
1.1MB
MD52eacb18ce33c4c5a9070233449518081
SHA155820bec82c368a425f31019ea90844bb33ef200
SHA256db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
1.1MB
MD5c8e5ca487ff6781d2ec035c761b19b76
SHA1c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA5122de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea
-
Filesize
28KB
MD5268e04d7485e8be575fe6746a64801ab
SHA1eeee374259d4d185cbe8dff17c72fed35dfcbf2e
SHA256698780161fbd70fc2e5522f14bd173382852ae7f1b7ddb640d0528136d23d695
SHA5121ad27bb53eb1d53fbb19b5cf2b7838874d3b1e25ec63ea1bf13588098cbdc69467e79fbe60f8b47a763e03bc6998a72fdc7e0d2496dfb2072bd8ed79236fd788
-
Filesize
34KB
MD52b68f8d475481dd68bebaa0536b1eb7b
SHA1d32e444134f3826bc705b1bbda6f3662901d876a
SHA2561d0a8c3f9adeb45ee84311d1da67a378cf9a2d8c0ada2788fe12111741523376
SHA512047ef190579e5edd5ce8c53af15cbd599e8b4ca2daa5e41f7e60b0c5bde312e06f158a71cd09f83f4df9897dc1b701264ca7f411d04777808303a4bf73fb9cc1