Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 12:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
Resource
win10v2004-20220901-en
General
-
Target
SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
-
Size
960KB
-
MD5
a0b2a10e84abe8930570103f841bcc75
-
SHA1
441c100f5467f1e7983b3e62119b60bb3cc757d7
-
SHA256
ebb86221b5c4336e8155321c3ef818e39e38c981227b768433d107ba6aa3bd69
-
SHA512
023c0e59dbdd9dd8f3b2e3ad99154942d651e7b3c3b498e25d957fb4b717dde7148a932bc1cfd1a4a9679889fcaa22de8b25d75ae14f01e12c3a25ef248794d5
-
SSDEEP
24576:EGU376CRkFg/IyXtBbvShFasPKhCX0sTLZeD1zBCh:2PkoXvSLSkzTNk1W
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.biateknos.com - Port:
587 - Username:
[email protected] - Password:
biateknossutinah - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 api.ipify.org 32 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exedescription pid process target process PID 4384 set thread context of 2400 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exeRegSvcs.exepid process 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe 2400 RegSvcs.exe 2400 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe Token: SeDebugPrivilege 2400 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2400 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exedescription pid process target process PID 4384 wrote to memory of 2796 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe schtasks.exe PID 4384 wrote to memory of 2796 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe schtasks.exe PID 4384 wrote to memory of 2796 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe schtasks.exe PID 4384 wrote to memory of 2400 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe RegSvcs.exe PID 4384 wrote to memory of 2400 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe RegSvcs.exe PID 4384 wrote to memory of 2400 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe RegSvcs.exe PID 4384 wrote to memory of 2400 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe RegSvcs.exe PID 4384 wrote to memory of 2400 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe RegSvcs.exe PID 4384 wrote to memory of 2400 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe RegSvcs.exe PID 4384 wrote to memory of 2400 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe RegSvcs.exe PID 4384 wrote to memory of 2400 4384 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iRqvNpf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE0A.tmp"2⤵
- Creates scheduled task(s)
PID:2796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE0A.tmpFilesize
1KB
MD5629845b2e6e0b704e6f934baa36d100a
SHA1ef5be1da54352712a0bf1e76cdc5ca9ada13abd6
SHA2565da8982f7de0a6e008a9b8f7cbb4fb51f94aaea2932b9b4e6529fcc65105f5b7
SHA512436347d2a725778064918f578e8fd7f399e886430adcf92344c4b7f8a41b7abe8c362ce5efcdbc2b5567bf86b89977934e59b447bb764005f93917b302f6e7e9
-
memory/2400-139-0x0000000000000000-mapping.dmp
-
memory/2400-140-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2400-141-0x0000000005D70000-0x0000000005DD6000-memory.dmpFilesize
408KB
-
memory/2400-142-0x0000000006690000-0x00000000066E0000-memory.dmpFilesize
320KB
-
memory/2796-137-0x0000000000000000-mapping.dmp
-
memory/4384-132-0x0000000000E40000-0x0000000000F36000-memory.dmpFilesize
984KB
-
memory/4384-133-0x0000000005E80000-0x0000000006424000-memory.dmpFilesize
5.6MB
-
memory/4384-134-0x00000000058D0000-0x0000000005962000-memory.dmpFilesize
584KB
-
memory/4384-135-0x0000000005A10000-0x0000000005AAC000-memory.dmpFilesize
624KB
-
memory/4384-136-0x00000000059F0000-0x00000000059FA000-memory.dmpFilesize
40KB