Analysis
-
max time kernel
70s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-11-2022 09:40
Static task
static1
Behavioral task
behavioral1
Sample
BL copy.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
BL copy.exe
Resource
win10v2004-20221111-en
General
-
Target
BL copy.exe
-
Size
478KB
-
MD5
c0ba88e93c37a5381ed30ebe13e3230d
-
SHA1
dbb6385a5acc6993e234d533b75bfc888dab8649
-
SHA256
4d32ec11bf2963e4a505853ea46c4b15b73ad0b435fd3f279d034480335901a9
-
SHA512
0c6160803d16677c7b00821dc612aea82ed6424272160d9117076227b762609bab2a22b18b1edc88c91579ef04f88877601176e70420a2ecdda63990fc1f496e
-
SSDEEP
6144:bEa0biTgOrovwH/BdHZONl0E5aHKVRjT8i1M1IeFZSjyhlk7NQr1LsPD4RtR0:YfyovWHONluHKVRjAiCuyh86BgD4l0
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 3 IoCs
pid Process 1492 aiikyaiziv.exe 1784 aiikyaiziv.exe 1376 aiikyaiziv.exe -
Loads dropped DLL 3 IoCs
pid Process 876 BL copy.exe 1492 aiikyaiziv.exe 1492 aiikyaiziv.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aiikyaiziv.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aiikyaiziv.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aiikyaiziv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\raatsuimwhcyt = "C:\\Users\\Admin\\AppData\\Roaming\\ubmpptut\\rulqhky.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\aiikyaiziv.exe\" C:\\Users\\Admin\\AppData\\Loca" aiikyaiziv.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MYAPP = "C:\\Users\\Admin\\AppData\\Roaming\\MYAPP\\MYAPP.exe" aiikyaiziv.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1492 set thread context of 1376 1492 aiikyaiziv.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1376 aiikyaiziv.exe 1376 aiikyaiziv.exe 1376 aiikyaiziv.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1492 aiikyaiziv.exe 1492 aiikyaiziv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1376 aiikyaiziv.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 876 wrote to memory of 1492 876 BL copy.exe 28 PID 876 wrote to memory of 1492 876 BL copy.exe 28 PID 876 wrote to memory of 1492 876 BL copy.exe 28 PID 876 wrote to memory of 1492 876 BL copy.exe 28 PID 1492 wrote to memory of 1784 1492 aiikyaiziv.exe 30 PID 1492 wrote to memory of 1784 1492 aiikyaiziv.exe 30 PID 1492 wrote to memory of 1784 1492 aiikyaiziv.exe 30 PID 1492 wrote to memory of 1784 1492 aiikyaiziv.exe 30 PID 1492 wrote to memory of 1376 1492 aiikyaiziv.exe 31 PID 1492 wrote to memory of 1376 1492 aiikyaiziv.exe 31 PID 1492 wrote to memory of 1376 1492 aiikyaiziv.exe 31 PID 1492 wrote to memory of 1376 1492 aiikyaiziv.exe 31 PID 1492 wrote to memory of 1376 1492 aiikyaiziv.exe 31 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aiikyaiziv.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aiikyaiziv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL copy.exe"C:\Users\Admin\AppData\Local\Temp\BL copy.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\aiikyaiziv.exe"C:\Users\Admin\AppData\Local\Temp\aiikyaiziv.exe" C:\Users\Admin\AppData\Local\Temp\iexhn.w2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\aiikyaiziv.exe"C:\Users\Admin\AppData\Local\Temp\aiikyaiziv.exe" C:\Users\Admin\AppData\Local\Temp\iexhn.w3⤵
- Executes dropped EXE
PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\aiikyaiziv.exe"C:\Users\Admin\AppData\Local\Temp\aiikyaiziv.exe" C:\Users\Admin\AppData\Local\Temp\iexhn.w3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1376
-
-
Network
-
Remote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN CNAMEapi.ipify.org.herokudns.comapi.ipify.org.herokudns.comIN A3.232.242.170api.ipify.org.herokudns.comIN A3.220.57.224api.ipify.org.herokudns.comIN A54.91.59.199api.ipify.org.herokudns.comIN A52.20.78.240
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD527d66b1f9d5a06f086d46350d0e27fe9
SHA1c42051eccb3ffb7d12a18136a8f3aa702e038417
SHA2561d3019ff5f6a2d28f7d876fdbbc8acc1215368f3f562fa988f6bacba4f6b23d7
SHA512be7ded13a8517ad800ad3fbe078dea8040e1b28a706eb58c264deaf77fb4957228983069c626aa9a63a1d62b967e2e131148d798d9a94b64eccc6264931ce8a6
-
Filesize
7KB
MD527d66b1f9d5a06f086d46350d0e27fe9
SHA1c42051eccb3ffb7d12a18136a8f3aa702e038417
SHA2561d3019ff5f6a2d28f7d876fdbbc8acc1215368f3f562fa988f6bacba4f6b23d7
SHA512be7ded13a8517ad800ad3fbe078dea8040e1b28a706eb58c264deaf77fb4957228983069c626aa9a63a1d62b967e2e131148d798d9a94b64eccc6264931ce8a6
-
Filesize
7KB
MD527d66b1f9d5a06f086d46350d0e27fe9
SHA1c42051eccb3ffb7d12a18136a8f3aa702e038417
SHA2561d3019ff5f6a2d28f7d876fdbbc8acc1215368f3f562fa988f6bacba4f6b23d7
SHA512be7ded13a8517ad800ad3fbe078dea8040e1b28a706eb58c264deaf77fb4957228983069c626aa9a63a1d62b967e2e131148d798d9a94b64eccc6264931ce8a6
-
Filesize
7KB
MD527d66b1f9d5a06f086d46350d0e27fe9
SHA1c42051eccb3ffb7d12a18136a8f3aa702e038417
SHA2561d3019ff5f6a2d28f7d876fdbbc8acc1215368f3f562fa988f6bacba4f6b23d7
SHA512be7ded13a8517ad800ad3fbe078dea8040e1b28a706eb58c264deaf77fb4957228983069c626aa9a63a1d62b967e2e131148d798d9a94b64eccc6264931ce8a6
-
Filesize
296KB
MD5f2287e43eba99766fa513804d8e14539
SHA153a14c5f1e5ffe5d51ee36f7e2cfbdd953ce9599
SHA256f4a92a2684b2e3128c83ead312f99f6f674705eb8e7390343d989cfb58838913
SHA512c8852a775d292467388eafc3aedbfdfebabf2dc15139df42b2c16bc057de18d4adbe93d43ab88c24a21c16ac88b55b64dcff39e7ced26cf1bf287a5492764402
-
Filesize
7KB
MD57e3cc5383386f3a981bda79f437a9bc1
SHA18df7941ad5fd04aaa657220fac18026250036f76
SHA2567c6ec6ef27019dc456e0e2714730374d38319e681ba36cc633375de57b3ed110
SHA5123a3b3714daaab812059bcb937730604bc437fd708101f3bee6fc682b14623df01b3112799804e3ede41747de645d529832ccb82ba99a4b6efe34390b3ecdc6ea
-
Filesize
7KB
MD527d66b1f9d5a06f086d46350d0e27fe9
SHA1c42051eccb3ffb7d12a18136a8f3aa702e038417
SHA2561d3019ff5f6a2d28f7d876fdbbc8acc1215368f3f562fa988f6bacba4f6b23d7
SHA512be7ded13a8517ad800ad3fbe078dea8040e1b28a706eb58c264deaf77fb4957228983069c626aa9a63a1d62b967e2e131148d798d9a94b64eccc6264931ce8a6
-
Filesize
7KB
MD527d66b1f9d5a06f086d46350d0e27fe9
SHA1c42051eccb3ffb7d12a18136a8f3aa702e038417
SHA2561d3019ff5f6a2d28f7d876fdbbc8acc1215368f3f562fa988f6bacba4f6b23d7
SHA512be7ded13a8517ad800ad3fbe078dea8040e1b28a706eb58c264deaf77fb4957228983069c626aa9a63a1d62b967e2e131148d798d9a94b64eccc6264931ce8a6
-
Filesize
7KB
MD527d66b1f9d5a06f086d46350d0e27fe9
SHA1c42051eccb3ffb7d12a18136a8f3aa702e038417
SHA2561d3019ff5f6a2d28f7d876fdbbc8acc1215368f3f562fa988f6bacba4f6b23d7
SHA512be7ded13a8517ad800ad3fbe078dea8040e1b28a706eb58c264deaf77fb4957228983069c626aa9a63a1d62b967e2e131148d798d9a94b64eccc6264931ce8a6