Analysis
-
max time kernel
37s -
max time network
3s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:58
Static task
static1
Behavioral task
behavioral1
Sample
37096691.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
37096691.exe
Resource
win10v2004-20220812-en
General
-
Target
37096691.exe
-
Size
1.2MB
-
MD5
f534050fa4d9012dd54e13ce691d662e
-
SHA1
916a083d0045e365d889164e59c039d526c44684
-
SHA256
37096691833e6bd3112ec4ad96df261c532c32f50adef7797bb9489f9a3aea97
-
SHA512
bb7323176acd486fd526560522a65255819bd59ac44e17d3076fcb06be2891c7accbcc8e827445db72914ee041b5880308174ab5d8de46c5a7d591ab05841141
-
SSDEEP
24576:e+YAumA1be5ysgG12LltOOr3C1zC+GGOG4emawVl9Rg:D/eG273H+GS4XawVry
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
nyfsjhehag.exenyfsjhehag.exepid process 3928 nyfsjhehag.exe 2668 nyfsjhehag.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
nyfsjhehag.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nyfsjhehag.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nyfsjhehag.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nyfsjhehag.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nyfsjhehag.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ojvgfjyyrus = "C:\\Users\\Admin\\AppData\\Roaming\\ctnwtro\\cmlt.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nyfsjhehag.exe\" \"C:\\Users\\Admin\\AppData\\Local\\T" nyfsjhehag.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nyfsjhehag.exedescription pid process target process PID 3928 set thread context of 2668 3928 nyfsjhehag.exe nyfsjhehag.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
nyfsjhehag.exepid process 2668 nyfsjhehag.exe 2668 nyfsjhehag.exe 2668 nyfsjhehag.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
nyfsjhehag.exepid process 3928 nyfsjhehag.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nyfsjhehag.exedescription pid process Token: SeDebugPrivilege 2668 nyfsjhehag.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
nyfsjhehag.exepid process 3928 nyfsjhehag.exe 3928 nyfsjhehag.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
nyfsjhehag.exepid process 3928 nyfsjhehag.exe 3928 nyfsjhehag.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
37096691.exenyfsjhehag.exedescription pid process target process PID 1404 wrote to memory of 3928 1404 37096691.exe nyfsjhehag.exe PID 1404 wrote to memory of 3928 1404 37096691.exe nyfsjhehag.exe PID 1404 wrote to memory of 3928 1404 37096691.exe nyfsjhehag.exe PID 3928 wrote to memory of 2668 3928 nyfsjhehag.exe nyfsjhehag.exe PID 3928 wrote to memory of 2668 3928 nyfsjhehag.exe nyfsjhehag.exe PID 3928 wrote to memory of 2668 3928 nyfsjhehag.exe nyfsjhehag.exe PID 3928 wrote to memory of 2668 3928 nyfsjhehag.exe nyfsjhehag.exe -
outlook_office_path 1 IoCs
Processes:
nyfsjhehag.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nyfsjhehag.exe -
outlook_win_path 1 IoCs
Processes:
nyfsjhehag.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nyfsjhehag.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37096691.exe"C:\Users\Admin\AppData\Local\Temp\37096691.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe"C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe" "C:\Users\Admin\AppData\Local\Temp\pmrwjoyl.au3"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe"C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe" "C:\Users\Admin\AppData\Local\Temp\pmrwjoyl.au3"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hxqmupa.awdFilesize
295KB
MD53bc6821e034cf3e3ccbae1b6ac587ac0
SHA118625cf44ca651096eccf70f40b80f4a926c7d6b
SHA2568701a011eb882515bdec111500cd5eaf8861905d000b37d1f0ba0d52cbbb7a90
SHA512a898f266db894650260b78e3a8458af0649ac4e2e35658168af99c200b3fe59321d7d6567558b97967b72f6ed3ce89971c01d94f3dd9013fac6d61b808d1eeef
-
C:\Users\Admin\AppData\Local\Temp\mhryt.rFilesize
54KB
MD54acbb6cf122f16ceef282a935950774a
SHA1d01ba39f4516f28097cc9419d497cb0d366aaae5
SHA256ceb563dd9ce4af0e6b8638a62310d5345c89472792414d9a8904f537fb3b7e46
SHA512bedcb8fe5cd637d82146cc94a97c3d54a94536411f4e1e37cd2db2e44d1ed377f980b1632b227ad20b4651345cc4e659edf22022c6c322af5687572555002bd0
-
C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\pmrwjoyl.au3Filesize
5KB
MD5d6c9edb53c19c52ef0f4c54e62295ab9
SHA1595dbcde92c6d70da21a9d946371388220529cb3
SHA25682789a96aaf587382eabfba4730796be5b738ee54f24065e3dc5440b4b330f54
SHA512c6edd33bd8197332c1b136ae0e16dd6860b4cce1f4a7403771850f37770fb83f1b53b8ae8bd29acfff94489729de04783afa7ab1e7023b2655be3bac0ccb438a
-
memory/2668-138-0x0000000000000000-mapping.dmp
-
memory/2668-140-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2668-141-0x0000000006840000-0x0000000006DE4000-memory.dmpFilesize
5.6MB
-
memory/2668-142-0x0000000006290000-0x000000000632C000-memory.dmpFilesize
624KB
-
memory/2668-143-0x0000000007A70000-0x0000000007AD6000-memory.dmpFilesize
408KB
-
memory/2668-144-0x0000000007CC0000-0x0000000007D10000-memory.dmpFilesize
320KB
-
memory/2668-145-0x0000000007E30000-0x0000000007EC2000-memory.dmpFilesize
584KB
-
memory/2668-146-0x0000000008320000-0x000000000832A000-memory.dmpFilesize
40KB
-
memory/3928-132-0x0000000000000000-mapping.dmp