Analysis
-
max time kernel
137s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 20:46
Static task
static1
Behavioral task
behavioral1
Sample
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe
Resource
win10v2004-20220901-en
General
-
Target
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe
-
Size
788KB
-
MD5
4252062a013af0c7953e4d14fe646e93
-
SHA1
ada3f9cf06008cba824e4bcda68f80da99d13893
-
SHA256
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d
-
SHA512
83c9d4e85a378e8d02393315c480dac1e6fab024bb95717e8ef4a9598782e784539374b127836695a6722662d1dc74a54ddc54d6bf02fc2e7c2dcd1a810f6f89
-
SSDEEP
24576:UraCDwovMPVLs5pcMrQJ63f81b34B5O8f:4aSJMPJGrQJ6vYr4jO8f
Malware Config
Extracted
Protocol: smtp- Host:
work-toolz.click - Port:
587 - Username:
[email protected] - Password:
3HLkst~=QzD3
Extracted
agenttesla
Protocol: smtp- Host:
work-toolz.click - Port:
587 - Username:
[email protected] - Password:
3HLkst~=QzD3
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
LocalNePRdcnFKm.exeLocalNePRdcnFKm.exepid process 1944 LocalNePRdcnFKm.exe 956 LocalNePRdcnFKm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
LocalNePRdcnFKm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LocalNePRdcnFKm.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LocalNePRdcnFKm.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LocalNePRdcnFKm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LocalNePRdcnFKm.exedescription pid process target process PID 1944 set thread context of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
LocalNePRdcnFKm.exeLocalNePRdcnFKm.exepowershell.exepowershell.exepid process 1944 LocalNePRdcnFKm.exe 1944 LocalNePRdcnFKm.exe 1944 LocalNePRdcnFKm.exe 1944 LocalNePRdcnFKm.exe 1944 LocalNePRdcnFKm.exe 1944 LocalNePRdcnFKm.exe 1944 LocalNePRdcnFKm.exe 1944 LocalNePRdcnFKm.exe 1944 LocalNePRdcnFKm.exe 1944 LocalNePRdcnFKm.exe 1944 LocalNePRdcnFKm.exe 956 LocalNePRdcnFKm.exe 956 LocalNePRdcnFKm.exe 1648 powershell.exe 1792 powershell.exe 956 LocalNePRdcnFKm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
LocalNePRdcnFKm.exeLocalNePRdcnFKm.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1944 LocalNePRdcnFKm.exe Token: SeDebugPrivilege 956 LocalNePRdcnFKm.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe 1476 AcroRd32.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exeLocalNePRdcnFKm.exedescription pid process target process PID 1408 wrote to memory of 1944 1408 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe LocalNePRdcnFKm.exe PID 1408 wrote to memory of 1944 1408 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe LocalNePRdcnFKm.exe PID 1408 wrote to memory of 1944 1408 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe LocalNePRdcnFKm.exe PID 1408 wrote to memory of 1944 1408 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe LocalNePRdcnFKm.exe PID 1408 wrote to memory of 1476 1408 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe AcroRd32.exe PID 1408 wrote to memory of 1476 1408 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe AcroRd32.exe PID 1408 wrote to memory of 1476 1408 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe AcroRd32.exe PID 1408 wrote to memory of 1476 1408 5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe AcroRd32.exe PID 1944 wrote to memory of 1792 1944 LocalNePRdcnFKm.exe powershell.exe PID 1944 wrote to memory of 1792 1944 LocalNePRdcnFKm.exe powershell.exe PID 1944 wrote to memory of 1792 1944 LocalNePRdcnFKm.exe powershell.exe PID 1944 wrote to memory of 1792 1944 LocalNePRdcnFKm.exe powershell.exe PID 1944 wrote to memory of 1648 1944 LocalNePRdcnFKm.exe powershell.exe PID 1944 wrote to memory of 1648 1944 LocalNePRdcnFKm.exe powershell.exe PID 1944 wrote to memory of 1648 1944 LocalNePRdcnFKm.exe powershell.exe PID 1944 wrote to memory of 1648 1944 LocalNePRdcnFKm.exe powershell.exe PID 1944 wrote to memory of 1072 1944 LocalNePRdcnFKm.exe schtasks.exe PID 1944 wrote to memory of 1072 1944 LocalNePRdcnFKm.exe schtasks.exe PID 1944 wrote to memory of 1072 1944 LocalNePRdcnFKm.exe schtasks.exe PID 1944 wrote to memory of 1072 1944 LocalNePRdcnFKm.exe schtasks.exe PID 1944 wrote to memory of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe PID 1944 wrote to memory of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe PID 1944 wrote to memory of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe PID 1944 wrote to memory of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe PID 1944 wrote to memory of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe PID 1944 wrote to memory of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe PID 1944 wrote to memory of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe PID 1944 wrote to memory of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe PID 1944 wrote to memory of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe -
outlook_office_path 1 IoCs
Processes:
LocalNePRdcnFKm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LocalNePRdcnFKm.exe -
outlook_win_path 1 IoCs
Processes:
LocalNePRdcnFKm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LocalNePRdcnFKm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe"C:\Users\Admin\AppData\Local\Temp\5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mrYHLrofvW.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mrYHLrofvW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp"3⤵
- Creates scheduled task(s)
PID:1072 -
C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:956 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalRguquifM_i.pdf"2⤵
- Suspicious use of SetWindowsHookEx
PID:1476
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalNePRdcnFKm.exeFilesize
746KB
MD5cf358bc6184346eb189370a89efb4faa
SHA14cc15bf7e60150cce098c5e905702d3038996e46
SHA25629e98316caac2dec3ca75404f4abe20a0f8a4ae82b9560e6db20c4ec76b6425b
SHA5125c8b15c9d1b2f0075674ad34ee3f51ab1f6617b61170722aa91f9a35fca08522bca0d69955ecdc7f9baa0b88ca048160ad7ccf9aec6a27a3aae52f94df1c402f
-
C:\Users\Admin\AppData\LocalNePRdcnFKm.exeFilesize
746KB
MD5cf358bc6184346eb189370a89efb4faa
SHA14cc15bf7e60150cce098c5e905702d3038996e46
SHA25629e98316caac2dec3ca75404f4abe20a0f8a4ae82b9560e6db20c4ec76b6425b
SHA5125c8b15c9d1b2f0075674ad34ee3f51ab1f6617b61170722aa91f9a35fca08522bca0d69955ecdc7f9baa0b88ca048160ad7ccf9aec6a27a3aae52f94df1c402f
-
C:\Users\Admin\AppData\LocalNePRdcnFKm.exeFilesize
746KB
MD5cf358bc6184346eb189370a89efb4faa
SHA14cc15bf7e60150cce098c5e905702d3038996e46
SHA25629e98316caac2dec3ca75404f4abe20a0f8a4ae82b9560e6db20c4ec76b6425b
SHA5125c8b15c9d1b2f0075674ad34ee3f51ab1f6617b61170722aa91f9a35fca08522bca0d69955ecdc7f9baa0b88ca048160ad7ccf9aec6a27a3aae52f94df1c402f
-
C:\Users\Admin\AppData\LocalRguquifM_i.pdfFilesize
4KB
MD56ed5d6c645a65626a8722d0c9e63deba
SHA1614cba83aff230d5500e93580a2a9bd06bc500ef
SHA256bc723b24c022a75063ce07bbb96bd8182621c8aea4a37cd3b6c02650b24ed78c
SHA512c6f97d4d9d05f6f130fc7754f274d820a30790f94e88119b052597cd85e752449455e15a6438d263059e75f3008862e92f9dfa2b7ac2fe1eb5fc56e6f5854a29
-
C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmpFilesize
1KB
MD5941538552e197f2b2f09d4602e6c026c
SHA1ee7d8d5e057e9717f2c4718d46d0983ae8c2c28b
SHA256891c2ab5a6dac32a0cf4ce00973212245d97046806d9158deacb8f85fe93111c
SHA5122577779f61c3728e1b34fc1349e54e5cd783e72ec2bb45c14c022d5ac937960e492f5e1a9f95b65243592ea8b221766ef35829a3d2702b7942179b5f1049d6b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5e68ed690ca889728adb60ea0d2673f34
SHA129b943b53297a30a8801b01a14564ecc0973daba
SHA2568fff940545c5709e2e96561fd4153a25891c5a977417d1be7c8a0ae0268e433a
SHA512bb58d387a704858802f8c24a995d44f7ff4bb14a3221a42b6e3c2a329c4cd70dcd2544e56bdc83f7d7b3ad5acd3b29e1a74fc54a5b5b02aa913280e86de265da
-
memory/956-81-0x000000000043248E-mapping.dmp
-
memory/956-80-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/956-84-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/956-78-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/956-79-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/956-76-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/956-75-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/956-86-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1072-71-0x0000000000000000-mapping.dmp
-
memory/1408-54-0x000007FEF3560000-0x000007FEF3F83000-memory.dmpFilesize
10.1MB
-
memory/1408-55-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/1476-59-0x0000000000000000-mapping.dmp
-
memory/1476-60-0x00000000750A1000-0x00000000750A3000-memory.dmpFilesize
8KB
-
memory/1648-88-0x000000006CE40000-0x000000006D3EB000-memory.dmpFilesize
5.7MB
-
memory/1648-69-0x0000000000000000-mapping.dmp
-
memory/1648-90-0x000000006CE40000-0x000000006D3EB000-memory.dmpFilesize
5.7MB
-
memory/1792-67-0x0000000000000000-mapping.dmp
-
memory/1792-89-0x000000006CE40000-0x000000006D3EB000-memory.dmpFilesize
5.7MB
-
memory/1792-91-0x000000006CE40000-0x000000006D3EB000-memory.dmpFilesize
5.7MB
-
memory/1944-65-0x0000000000540000-0x000000000054E000-memory.dmpFilesize
56KB
-
memory/1944-64-0x0000000000510000-0x0000000000526000-memory.dmpFilesize
88KB
-
memory/1944-61-0x0000000000A10000-0x0000000000AD0000-memory.dmpFilesize
768KB
-
memory/1944-66-0x0000000005210000-0x0000000005292000-memory.dmpFilesize
520KB
-
memory/1944-56-0x0000000000000000-mapping.dmp
-
memory/1944-74-0x0000000004C40000-0x0000000004C8A000-memory.dmpFilesize
296KB