Analysis
-
max time kernel
74s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 08:42
Static task
static1
Behavioral task
behavioral1
Sample
MT103 USD36k_pdf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
MT103 USD36k_pdf.exe
Resource
win10v2004-20220812-en
General
-
Target
MT103 USD36k_pdf.exe
-
Size
300KB
-
MD5
67060e229fd001baaf2ff8e36f435f0f
-
SHA1
e8fa3767b8cc7df3c58e04ffb77ba49ca0d65210
-
SHA256
3715a1b3671a7526ba34a708a617c353c27380d255b6a74493978ded978e01b0
-
SHA512
38ea3c2ed47ae45062b6239c1812616479fefe957f93b60281431d5aff6272fa7948b0bc77149ae2195ccf2abb2171e99731d68e06bf990ebbb9aa18a49c5086
-
SSDEEP
6144:BBnvBRhD9wLIp/s6usl9aAh3RhB0QbsIABuwVeWK:35aes6ft3Rhp7ABuwVe7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.abmds.net - Port:
587 - Username:
[email protected] - Password:
KPM%a_UfaCbn - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
kfeasmzfnj.exekfeasmzfnj.exepid process 1772 kfeasmzfnj.exe 688 kfeasmzfnj.exe -
Loads dropped DLL 2 IoCs
Processes:
MT103 USD36k_pdf.exekfeasmzfnj.exepid process 1360 MT103 USD36k_pdf.exe 1772 kfeasmzfnj.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
kfeasmzfnj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kfeasmzfnj.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kfeasmzfnj.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kfeasmzfnj.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kfeasmzfnj.exedescription pid process target process PID 1772 set thread context of 688 1772 kfeasmzfnj.exe kfeasmzfnj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
kfeasmzfnj.exepid process 688 kfeasmzfnj.exe 688 kfeasmzfnj.exe 688 kfeasmzfnj.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
kfeasmzfnj.exepid process 1772 kfeasmzfnj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kfeasmzfnj.exedescription pid process Token: SeDebugPrivilege 688 kfeasmzfnj.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
MT103 USD36k_pdf.exekfeasmzfnj.exedescription pid process target process PID 1360 wrote to memory of 1772 1360 MT103 USD36k_pdf.exe kfeasmzfnj.exe PID 1360 wrote to memory of 1772 1360 MT103 USD36k_pdf.exe kfeasmzfnj.exe PID 1360 wrote to memory of 1772 1360 MT103 USD36k_pdf.exe kfeasmzfnj.exe PID 1360 wrote to memory of 1772 1360 MT103 USD36k_pdf.exe kfeasmzfnj.exe PID 1772 wrote to memory of 688 1772 kfeasmzfnj.exe kfeasmzfnj.exe PID 1772 wrote to memory of 688 1772 kfeasmzfnj.exe kfeasmzfnj.exe PID 1772 wrote to memory of 688 1772 kfeasmzfnj.exe kfeasmzfnj.exe PID 1772 wrote to memory of 688 1772 kfeasmzfnj.exe kfeasmzfnj.exe PID 1772 wrote to memory of 688 1772 kfeasmzfnj.exe kfeasmzfnj.exe -
outlook_office_path 1 IoCs
Processes:
kfeasmzfnj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kfeasmzfnj.exe -
outlook_win_path 1 IoCs
Processes:
kfeasmzfnj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kfeasmzfnj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MT103 USD36k_pdf.exe"C:\Users\Admin\AppData\Local\Temp\MT103 USD36k_pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe"C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe" C:\Users\Admin\AppData\Local\Temp\dbxqmw.qr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe"C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe" C:\Users\Admin\AppData\Local\Temp\dbxqmw.qr3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dbxqmw.qrFilesize
5KB
MD57352ef7b4a7ec98455c90e22d4c588aa
SHA1aaab92935902c828e9d111722c35254571620dbd
SHA256cc1d09769d2f707e2dd54f2dd58658f58eb32634d8bc197aa86ec24aa6bb1194
SHA51290eb1e5b027aef8be4492c71d43f2c0bfdb722881f90c06598f904b42c86df513bc3016f2cebb3bebd8ab17e861c4f87d14dc4941167f5e6fd3a84d0697d571e
-
C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exeFilesize
37KB
MD524c602d3c445c8070cdd067b12415981
SHA10bd8ecfd615b9627034e0bbd91ce76a6f8a69797
SHA256436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23
SHA512cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee
-
C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exeFilesize
37KB
MD524c602d3c445c8070cdd067b12415981
SHA10bd8ecfd615b9627034e0bbd91ce76a6f8a69797
SHA256436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23
SHA512cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee
-
C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exeFilesize
37KB
MD524c602d3c445c8070cdd067b12415981
SHA10bd8ecfd615b9627034e0bbd91ce76a6f8a69797
SHA256436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23
SHA512cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee
-
C:\Users\Admin\AppData\Local\Temp\xbrzayesyy.lFilesize
273KB
MD527ddad24acda2f46f8fcc9d625b90085
SHA19ce96fe713d1cd3900624bbe286543c5c2ef62c5
SHA25617bbd12b77b9ae1928b314958f2bcb639759cf6be3e9137baa0b92f4aedb7765
SHA51271a0e948101e5fcc9d93559c41bfd8cc0d38bbed9fd23cafd8a469ab826843f22b9b644a86279fc493b6885449098e9972ac622e32703db0645abdf5c238044b
-
\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exeFilesize
37KB
MD524c602d3c445c8070cdd067b12415981
SHA10bd8ecfd615b9627034e0bbd91ce76a6f8a69797
SHA256436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23
SHA512cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee
-
\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exeFilesize
37KB
MD524c602d3c445c8070cdd067b12415981
SHA10bd8ecfd615b9627034e0bbd91ce76a6f8a69797
SHA256436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23
SHA512cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee
-
memory/688-63-0x0000000000401896-mapping.dmp
-
memory/688-66-0x0000000000850000-0x0000000000888000-memory.dmpFilesize
224KB
-
memory/688-67-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1360-54-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/1772-56-0x0000000000000000-mapping.dmp