Analysis
-
max time kernel
98s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
28-11-2022 08:42
General
-
Target
MT103 USD36k_pdf.exe
-
Size
300KB
-
MD5
67060e229fd001baaf2ff8e36f435f0f
-
SHA1
e8fa3767b8cc7df3c58e04ffb77ba49ca0d65210
-
SHA256
3715a1b3671a7526ba34a708a617c353c27380d255b6a74493978ded978e01b0
-
SHA512
38ea3c2ed47ae45062b6239c1812616479fefe957f93b60281431d5aff6272fa7948b0bc77149ae2195ccf2abb2171e99731d68e06bf990ebbb9aa18a49c5086
-
SSDEEP
6144:BBnvBRhD9wLIp/s6usl9aAh3RhB0QbsIABuwVeWK:35aes6ft3Rhp7ABuwVe7
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MT103 USD36k_pdf.exe"C:\Users\Admin\AppData\Local\Temp\MT103 USD36k_pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe"C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe" C:\Users\Admin\AppData\Local\Temp\dbxqmw.qr2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe"C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe" C:\Users\Admin\AppData\Local\Temp\dbxqmw.qr3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD57352ef7b4a7ec98455c90e22d4c588aa
SHA1aaab92935902c828e9d111722c35254571620dbd
SHA256cc1d09769d2f707e2dd54f2dd58658f58eb32634d8bc197aa86ec24aa6bb1194
SHA51290eb1e5b027aef8be4492c71d43f2c0bfdb722881f90c06598f904b42c86df513bc3016f2cebb3bebd8ab17e861c4f87d14dc4941167f5e6fd3a84d0697d571e
-
Filesize
37KB
MD524c602d3c445c8070cdd067b12415981
SHA10bd8ecfd615b9627034e0bbd91ce76a6f8a69797
SHA256436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23
SHA512cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee
-
Filesize
37KB
MD524c602d3c445c8070cdd067b12415981
SHA10bd8ecfd615b9627034e0bbd91ce76a6f8a69797
SHA256436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23
SHA512cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee
-
Filesize
37KB
MD524c602d3c445c8070cdd067b12415981
SHA10bd8ecfd615b9627034e0bbd91ce76a6f8a69797
SHA256436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23
SHA512cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee
-
Filesize
273KB
MD527ddad24acda2f46f8fcc9d625b90085
SHA19ce96fe713d1cd3900624bbe286543c5c2ef62c5
SHA25617bbd12b77b9ae1928b314958f2bcb639759cf6be3e9137baa0b92f4aedb7765
SHA51271a0e948101e5fcc9d93559c41bfd8cc0d38bbed9fd23cafd8a469ab826843f22b9b644a86279fc493b6885449098e9972ac622e32703db0645abdf5c238044b
-
-
Filesize
288KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
40KB
-