Analysis
-
max time kernel
89s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 18:50
Static task
static1
Behavioral task
behavioral1
Sample
9758a1ed3f47022f27a6c1a4490d81a1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9758a1ed3f47022f27a6c1a4490d81a1.exe
Resource
win10v2004-20220812-en
General
-
Target
9758a1ed3f47022f27a6c1a4490d81a1.exe
-
Size
844KB
-
MD5
9758a1ed3f47022f27a6c1a4490d81a1
-
SHA1
6ac703af0a201398cc137ac9f06e18a1dbc153d2
-
SHA256
cf245d962d603ab9dca4b815963b2a21c8e13fc447d58f3d22a21d9841c46f03
-
SHA512
0b5808ed7a101eeaaecb8c91c0032f79020aae919fe67a053b8a1ce9c432409fb14abc9326fdcb8d6a4ecc1e9d221b5f0f8446a839435a0429d6f5bf7e42d7ee
-
SSDEEP
12288:OAJYsZ1DX/VDJtV7TZ0k13kc38MPWd2p34dpDd7P5XAfJ0:3JYknZV8My2poPx75k0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.apexfinanceuk.com - Port:
587 - Username:
[email protected] - Password:
2OQWAS!z@H!!dTQ
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
9758a1ed3f47022f27a6c1a4490d81a1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9758a1ed3f47022f27a6c1a4490d81a1.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9758a1ed3f47022f27a6c1a4490d81a1.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9758a1ed3f47022f27a6c1a4490d81a1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9758a1ed3f47022f27a6c1a4490d81a1.exedescription pid process target process PID 980 set thread context of 624 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
9758a1ed3f47022f27a6c1a4490d81a1.exe9758a1ed3f47022f27a6c1a4490d81a1.exepid process 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 624 9758a1ed3f47022f27a6c1a4490d81a1.exe 624 9758a1ed3f47022f27a6c1a4490d81a1.exe 624 9758a1ed3f47022f27a6c1a4490d81a1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9758a1ed3f47022f27a6c1a4490d81a1.exe9758a1ed3f47022f27a6c1a4490d81a1.exedescription pid process Token: SeDebugPrivilege 980 9758a1ed3f47022f27a6c1a4490d81a1.exe Token: SeDebugPrivilege 624 9758a1ed3f47022f27a6c1a4490d81a1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
9758a1ed3f47022f27a6c1a4490d81a1.exepid process 624 9758a1ed3f47022f27a6c1a4490d81a1.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
9758a1ed3f47022f27a6c1a4490d81a1.exedescription pid process target process PID 980 wrote to memory of 848 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 848 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 848 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 848 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 624 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 624 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 624 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 624 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 624 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 624 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 624 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 624 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe PID 980 wrote to memory of 624 980 9758a1ed3f47022f27a6c1a4490d81a1.exe 9758a1ed3f47022f27a6c1a4490d81a1.exe -
outlook_office_path 1 IoCs
Processes:
9758a1ed3f47022f27a6c1a4490d81a1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9758a1ed3f47022f27a6c1a4490d81a1.exe -
outlook_win_path 1 IoCs
Processes:
9758a1ed3f47022f27a6c1a4490d81a1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9758a1ed3f47022f27a6c1a4490d81a1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9758a1ed3f47022f27a6c1a4490d81a1.exe"C:\Users\Admin\AppData\Local\Temp\9758a1ed3f47022f27a6c1a4490d81a1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9758a1ed3f47022f27a6c1a4490d81a1.exe"C:\Users\Admin\AppData\Local\Temp\9758a1ed3f47022f27a6c1a4490d81a1.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\9758a1ed3f47022f27a6c1a4490d81a1.exe"C:\Users\Admin\AppData\Local\Temp\9758a1ed3f47022f27a6c1a4490d81a1.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/624-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/624-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/624-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/624-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/624-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/624-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/624-66-0x0000000000437BDE-mapping.dmp
-
memory/624-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/980-55-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/980-54-0x0000000001110000-0x00000000011EA000-memory.dmpFilesize
872KB
-
memory/980-59-0x0000000000F70000-0x0000000000FAC000-memory.dmpFilesize
240KB
-
memory/980-58-0x0000000004F50000-0x0000000004FC8000-memory.dmpFilesize
480KB
-
memory/980-57-0x0000000000390000-0x000000000039C000-memory.dmpFilesize
48KB
-
memory/980-56-0x00000000006A0000-0x00000000006B8000-memory.dmpFilesize
96KB