Analysis
-
max time kernel
197s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 21:32
Static task
static1
Behavioral task
behavioral1
Sample
f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe
Resource
win10v2004-20221111-en
General
-
Target
f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe
-
Size
480KB
-
MD5
06d253413aa62c1eb72edb9fdc6e2a87
-
SHA1
a3d8c88b5b9709699c183925ce3ad653491aee9d
-
SHA256
f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822
-
SHA512
74eee8077764b41bb10bfdb2f8408af549951abdf9244d0c609de931ba6f847b6653d1088cb4394de875c0f23837b28f712cc4c8161a50d4127206bb669d68bb
-
SSDEEP
12288:q0aShcx7plNJAYnIKPPfpZlrySug8pG94L3st+s0u5jgbO:q0aSholNJrXdr5ug88ss0s0gEO
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5745656562:AAEWafwrgUiORYk4Z5mN1SY726IYW3inkfw/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exeCasPol.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4AEDA9AD67994E2AA3267C3CA0849E85 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe\"" f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe" CasPol.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 78 api.ipify.org 79 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exedescription pid process target process PID 3956 set thread context of 100 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe CasPol.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CasPol.exepid process 100 CasPol.exe 100 CasPol.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exepid process 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exeCasPol.exedescription pid process Token: SeDebugPrivilege 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe Token: SeDebugPrivilege 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe Token: SeLoadDriverPrivilege 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe Token: SeDebugPrivilege 100 CasPol.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CasPol.exepid process 100 CasPol.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exedescription pid process target process PID 3956 wrote to memory of 100 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe CasPol.exe PID 3956 wrote to memory of 100 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe CasPol.exe PID 3956 wrote to memory of 100 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe CasPol.exe PID 3956 wrote to memory of 100 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe CasPol.exe PID 3956 wrote to memory of 100 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe CasPol.exe PID 3956 wrote to memory of 100 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe CasPol.exe PID 3956 wrote to memory of 100 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe CasPol.exe PID 3956 wrote to memory of 100 3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe CasPol.exe -
outlook_office_path 1 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
outlook_win_path 1 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe"C:\Users\Admin\AppData\Local\Temp\f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe"1⤵
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/100-135-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/100-136-0x0000000000437BCE-mapping.dmp
-
memory/100-138-0x0000000005D40000-0x00000000062E4000-memory.dmpFilesize
5.6MB
-
memory/100-139-0x0000000005790000-0x000000000582C000-memory.dmpFilesize
624KB
-
memory/100-140-0x00000000064B0000-0x0000000006516000-memory.dmpFilesize
408KB
-
memory/100-141-0x0000000006C70000-0x0000000006CC0000-memory.dmpFilesize
320KB
-
memory/100-142-0x0000000006DE0000-0x0000000006E72000-memory.dmpFilesize
584KB
-
memory/100-143-0x0000000006FF0000-0x0000000006FFA000-memory.dmpFilesize
40KB
-
memory/3956-132-0x0000015D9CF20000-0x0000015D9CF9C000-memory.dmpFilesize
496KB
-
memory/3956-133-0x00007FFD9D0A0000-0x00007FFD9DB61000-memory.dmpFilesize
10.8MB
-
memory/3956-134-0x00007FFD9D0A0000-0x00007FFD9DB61000-memory.dmpFilesize
10.8MB
-
memory/3956-137-0x00007FFD9D0A0000-0x00007FFD9DB61000-memory.dmpFilesize
10.8MB