Analysis
-
max time kernel
99s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 06:38
Static task
static1
Behavioral task
behavioral1
Sample
831053927.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
831053927.exe
Resource
win10v2004-20221111-en
General
-
Target
831053927.exe
-
Size
371KB
-
MD5
5d766f42a531ffcd5dc28bb53aa241ba
-
SHA1
e249b9f9757a852c981943376cb1b1067170f6a6
-
SHA256
f5d4ebc19dcb1a8676ba1459a04606b5b94e3e1a02bf11393c18e0980e8da2f8
-
SHA512
c9d1470675401a9154129bda61da9e6c4e8cac912dee47d3bba9a4aaf9798cb51d3cc0a8689b7694890880e309d6adf21f74a0363993702861e9b34f655e3173
-
SSDEEP
6144:QBn1x+Iern1T/hLTUvO6XqaV7Co73QDYAD8zRDJhquOFLEyNbamvSkRN8h2zz2M+:gxDMHTKTXbZ573QEeY9JkJlEyNbaBm8t
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
hjctkgqb.exehjctkgqb.exepid process 1068 hjctkgqb.exe 588 hjctkgqb.exe -
Loads dropped DLL 5 IoCs
Processes:
831053927.exehjctkgqb.exeWerFault.exepid process 1960 831053927.exe 1068 hjctkgqb.exe 1692 WerFault.exe 1692 WerFault.exe 1692 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hjctkgqb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\crjqaqiplhx = "C:\\Users\\Admin\\AppData\\Roaming\\lrvilelmgxag\\ywnveswjguxq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hjctkgqb.exe\" C:\\Users\\Admin\\AppDa" hjctkgqb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hjctkgqb.exedescription pid process target process PID 1068 set thread context of 588 1068 hjctkgqb.exe hjctkgqb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1692 588 WerFault.exe hjctkgqb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
hjctkgqb.exepid process 588 hjctkgqb.exe 588 hjctkgqb.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hjctkgqb.exepid process 1068 hjctkgqb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hjctkgqb.exedescription pid process Token: SeDebugPrivilege 588 hjctkgqb.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
831053927.exehjctkgqb.exehjctkgqb.exedescription pid process target process PID 1960 wrote to memory of 1068 1960 831053927.exe hjctkgqb.exe PID 1960 wrote to memory of 1068 1960 831053927.exe hjctkgqb.exe PID 1960 wrote to memory of 1068 1960 831053927.exe hjctkgqb.exe PID 1960 wrote to memory of 1068 1960 831053927.exe hjctkgqb.exe PID 1068 wrote to memory of 588 1068 hjctkgqb.exe hjctkgqb.exe PID 1068 wrote to memory of 588 1068 hjctkgqb.exe hjctkgqb.exe PID 1068 wrote to memory of 588 1068 hjctkgqb.exe hjctkgqb.exe PID 1068 wrote to memory of 588 1068 hjctkgqb.exe hjctkgqb.exe PID 1068 wrote to memory of 588 1068 hjctkgqb.exe hjctkgqb.exe PID 588 wrote to memory of 1692 588 hjctkgqb.exe WerFault.exe PID 588 wrote to memory of 1692 588 hjctkgqb.exe WerFault.exe PID 588 wrote to memory of 1692 588 hjctkgqb.exe WerFault.exe PID 588 wrote to memory of 1692 588 hjctkgqb.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\831053927.exe"C:\Users\Admin\AppData\Local\Temp\831053927.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\hjctkgqb.exe"C:\Users\Admin\AppData\Local\Temp\hjctkgqb.exe" C:\Users\Admin\AppData\Local\Temp\xrhedwyckj.oxb2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\hjctkgqb.exe"C:\Users\Admin\AppData\Local\Temp\hjctkgqb.exe" C:\Users\Admin\AppData\Local\Temp\xrhedwyckj.oxb3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 5804⤵
- Loads dropped DLL
- Program crash
PID:1692
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ccsvkpzcvk.pFilesize
274KB
MD5042160b92e75f00361f030ae9ce6ba5a
SHA1ef6e7850bd70d8e4b1b1e9f3fa8cf0c529f2d4de
SHA2563f96a57ac2629bff8e020ac29c33a01d77ad0363f7ec05049bb8a8d0c9330d41
SHA512098f4b47d54f58e73083e8934693064db1b2b09224d49a84e6411a6c980f7f40ea13836f75b9726935635598bfab295a027080f756b90685019d3f0cd2a9075a
-
C:\Users\Admin\AppData\Local\Temp\hjctkgqb.exeFilesize
320KB
MD548638249924ba4b3620a082e39dee170
SHA18cbac55e61abd52ebe3810ddccdd5cb49b276808
SHA256fdb79e6ad186805cf8483cd05683020d9c2659ea9222ef6ba6857dcda8af944f
SHA5129114200205f2f732c1e0f1e75f1fb36bca7b6255be4070782ce70c17b95d40c92240dda04c10303e86ae80baecf29be476464b1b6c12be85bcf1df6928ac27b3
-
C:\Users\Admin\AppData\Local\Temp\hjctkgqb.exeFilesize
320KB
MD548638249924ba4b3620a082e39dee170
SHA18cbac55e61abd52ebe3810ddccdd5cb49b276808
SHA256fdb79e6ad186805cf8483cd05683020d9c2659ea9222ef6ba6857dcda8af944f
SHA5129114200205f2f732c1e0f1e75f1fb36bca7b6255be4070782ce70c17b95d40c92240dda04c10303e86ae80baecf29be476464b1b6c12be85bcf1df6928ac27b3
-
C:\Users\Admin\AppData\Local\Temp\hjctkgqb.exeFilesize
320KB
MD548638249924ba4b3620a082e39dee170
SHA18cbac55e61abd52ebe3810ddccdd5cb49b276808
SHA256fdb79e6ad186805cf8483cd05683020d9c2659ea9222ef6ba6857dcda8af944f
SHA5129114200205f2f732c1e0f1e75f1fb36bca7b6255be4070782ce70c17b95d40c92240dda04c10303e86ae80baecf29be476464b1b6c12be85bcf1df6928ac27b3
-
C:\Users\Admin\AppData\Local\Temp\xrhedwyckj.oxbFilesize
7KB
MD5d041100110d9e424d784b7304c86362e
SHA16989692ca832deb08f28de28f5d54ff5d84ee185
SHA256985b212c76c8b5e36255fc2c588243f39f86461c636ea9092915d5dc588a82d1
SHA5120e4b3134b81e7422dd930a6883761dfcc00065aa3f6465d988808c037f2d56dd9ec006873b73fbe5c345ba3a6c0299eb180d29411dc00f01737c5d8ce6d03bf5
-
\Users\Admin\AppData\Local\Temp\hjctkgqb.exeFilesize
320KB
MD548638249924ba4b3620a082e39dee170
SHA18cbac55e61abd52ebe3810ddccdd5cb49b276808
SHA256fdb79e6ad186805cf8483cd05683020d9c2659ea9222ef6ba6857dcda8af944f
SHA5129114200205f2f732c1e0f1e75f1fb36bca7b6255be4070782ce70c17b95d40c92240dda04c10303e86ae80baecf29be476464b1b6c12be85bcf1df6928ac27b3
-
\Users\Admin\AppData\Local\Temp\hjctkgqb.exeFilesize
320KB
MD548638249924ba4b3620a082e39dee170
SHA18cbac55e61abd52ebe3810ddccdd5cb49b276808
SHA256fdb79e6ad186805cf8483cd05683020d9c2659ea9222ef6ba6857dcda8af944f
SHA5129114200205f2f732c1e0f1e75f1fb36bca7b6255be4070782ce70c17b95d40c92240dda04c10303e86ae80baecf29be476464b1b6c12be85bcf1df6928ac27b3
-
\Users\Admin\AppData\Local\Temp\hjctkgqb.exeFilesize
320KB
MD548638249924ba4b3620a082e39dee170
SHA18cbac55e61abd52ebe3810ddccdd5cb49b276808
SHA256fdb79e6ad186805cf8483cd05683020d9c2659ea9222ef6ba6857dcda8af944f
SHA5129114200205f2f732c1e0f1e75f1fb36bca7b6255be4070782ce70c17b95d40c92240dda04c10303e86ae80baecf29be476464b1b6c12be85bcf1df6928ac27b3
-
\Users\Admin\AppData\Local\Temp\hjctkgqb.exeFilesize
320KB
MD548638249924ba4b3620a082e39dee170
SHA18cbac55e61abd52ebe3810ddccdd5cb49b276808
SHA256fdb79e6ad186805cf8483cd05683020d9c2659ea9222ef6ba6857dcda8af944f
SHA5129114200205f2f732c1e0f1e75f1fb36bca7b6255be4070782ce70c17b95d40c92240dda04c10303e86ae80baecf29be476464b1b6c12be85bcf1df6928ac27b3
-
\Users\Admin\AppData\Local\Temp\hjctkgqb.exeFilesize
320KB
MD548638249924ba4b3620a082e39dee170
SHA18cbac55e61abd52ebe3810ddccdd5cb49b276808
SHA256fdb79e6ad186805cf8483cd05683020d9c2659ea9222ef6ba6857dcda8af944f
SHA5129114200205f2f732c1e0f1e75f1fb36bca7b6255be4070782ce70c17b95d40c92240dda04c10303e86ae80baecf29be476464b1b6c12be85bcf1df6928ac27b3
-
memory/588-63-0x0000000000401896-mapping.dmp
-
memory/588-67-0x0000000001D80000-0x0000000001DB8000-memory.dmpFilesize
224KB
-
memory/588-66-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1068-56-0x0000000000000000-mapping.dmp
-
memory/1692-68-0x0000000000000000-mapping.dmp
-
memory/1960-54-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB