Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 10:12
Static task
static1
Behavioral task
behavioral1
Sample
INV-00241.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
INV-00241.exe
Resource
win10v2004-20220901-en
General
-
Target
INV-00241.exe
-
Size
654KB
-
MD5
4b9d7b1ea4b94c7b9a9c8a7d85578c9d
-
SHA1
bd580c3c037c244c4c5b820dbb017e14b032b4ec
-
SHA256
3e8e2a2868f0e729a298541b51105ca23c60b0ffaa2c7b7c89e8a1edc0b2eab7
-
SHA512
b3ead2fbf3b0e408c0cd2dcc4738c84967321a7c7fe0d673ed7df5400387084f627b8ee7ad6075cff6d1f2f6127d4c85ea9797f12ddf5ab4948fedec82752119
-
SSDEEP
6144:7BnJ+58yUPAQVBXw5EPSzoBoe2ZP7e4VimiMxu2Kd4Dic8caelU:D+9UPAuA51s2zMcBjxRKrczaL
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.crownoffice.xyz - Port:
587 - Username:
[email protected] - Password:
GRACEoverflow123@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
zpfbg.exezpfbg.exepid process 968 zpfbg.exe 1640 zpfbg.exe -
Loads dropped DLL 2 IoCs
Processes:
INV-00241.exezpfbg.exepid process 1064 INV-00241.exe 968 zpfbg.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
zpfbg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 zpfbg.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 zpfbg.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 zpfbg.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
zpfbg.exezpfbg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yfjvsfmgw = "C:\\Users\\Admin\\AppData\\Roaming\\clbhyuawh\\bvfggtidba.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfbg.exe\" C:\\Users\\Admin\\AppData\\Local" zpfbg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" zpfbg.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zpfbg.exedescription pid process target process PID 968 set thread context of 1640 968 zpfbg.exe zpfbg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
zpfbg.exepid process 1640 zpfbg.exe 1640 zpfbg.exe 1640 zpfbg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
zpfbg.exepid process 968 zpfbg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zpfbg.exedescription pid process Token: SeDebugPrivilege 1640 zpfbg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
zpfbg.exepid process 1640 zpfbg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
INV-00241.exezpfbg.exedescription pid process target process PID 1064 wrote to memory of 968 1064 INV-00241.exe zpfbg.exe PID 1064 wrote to memory of 968 1064 INV-00241.exe zpfbg.exe PID 1064 wrote to memory of 968 1064 INV-00241.exe zpfbg.exe PID 1064 wrote to memory of 968 1064 INV-00241.exe zpfbg.exe PID 968 wrote to memory of 1640 968 zpfbg.exe zpfbg.exe PID 968 wrote to memory of 1640 968 zpfbg.exe zpfbg.exe PID 968 wrote to memory of 1640 968 zpfbg.exe zpfbg.exe PID 968 wrote to memory of 1640 968 zpfbg.exe zpfbg.exe PID 968 wrote to memory of 1640 968 zpfbg.exe zpfbg.exe -
outlook_office_path 1 IoCs
Processes:
zpfbg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 zpfbg.exe -
outlook_win_path 1 IoCs
Processes:
zpfbg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 zpfbg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV-00241.exe"C:\Users\Admin\AppData\Local\Temp\INV-00241.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zpfbg.exe"C:\Users\Admin\AppData\Local\Temp\zpfbg.exe" C:\Users\Admin\AppData\Local\Temp\mpbnofni.pa2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zpfbg.exe"C:\Users\Admin\AppData\Local\Temp\zpfbg.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mpbnofni.paFilesize
7KB
MD51bfac87a4f48963d6caf5fe27c8c5baf
SHA115d56818cee354bf34fd544b006c36919002320b
SHA256edc1056c39973d312889e8913aeaea4990fd1512208472976904218e46076bb9
SHA5122c6cca8a450327cf471f09a0c92c01c33dbf5db7d8b2f5d3c3ccf5eb88b68772910176ee80ba2137cef10777006ba955565ce65f1fc3b41da21c581d49377d0d
-
C:\Users\Admin\AppData\Local\Temp\qwkogxfo.yqFilesize
239KB
MD578ff86f4a6353db5f18ae0ada58b837c
SHA1e579a54f260bb800174f96192a848dacca6fa159
SHA2563c958f007e4dde9126480bb111a7bbc7a6094521c2266eca3fad70f3fcac027d
SHA512defc96d1f27a07b90a278441fcd1aadd41dd22919edf05290aebbb4d1bd525362105e8e070316d463e0efc031bb0ef204fff140d9c93a4456fa8646f8841361e
-
C:\Users\Admin\AppData\Local\Temp\zpfbg.exeFilesize
12KB
MD58ac9e4ec32db5ee3d689497046200d55
SHA10aa4eb3ba4bcdbcf89ae5eb137fca4bb9da00675
SHA256f49087bc394ae7983e0c7b8a54a9d70147dd6874fa1b2bcf3e02ad3c02f1261a
SHA51260adfc992bf04db4c3902ba696328c3f560364a2f0fc4b989ff4ae6dfc625729f6e86d3ea63dae1cad11d2c4a8609fc9450829dab31d219ea641b480e78623f8
-
C:\Users\Admin\AppData\Local\Temp\zpfbg.exeFilesize
12KB
MD58ac9e4ec32db5ee3d689497046200d55
SHA10aa4eb3ba4bcdbcf89ae5eb137fca4bb9da00675
SHA256f49087bc394ae7983e0c7b8a54a9d70147dd6874fa1b2bcf3e02ad3c02f1261a
SHA51260adfc992bf04db4c3902ba696328c3f560364a2f0fc4b989ff4ae6dfc625729f6e86d3ea63dae1cad11d2c4a8609fc9450829dab31d219ea641b480e78623f8
-
C:\Users\Admin\AppData\Local\Temp\zpfbg.exeFilesize
12KB
MD58ac9e4ec32db5ee3d689497046200d55
SHA10aa4eb3ba4bcdbcf89ae5eb137fca4bb9da00675
SHA256f49087bc394ae7983e0c7b8a54a9d70147dd6874fa1b2bcf3e02ad3c02f1261a
SHA51260adfc992bf04db4c3902ba696328c3f560364a2f0fc4b989ff4ae6dfc625729f6e86d3ea63dae1cad11d2c4a8609fc9450829dab31d219ea641b480e78623f8
-
\Users\Admin\AppData\Local\Temp\zpfbg.exeFilesize
12KB
MD58ac9e4ec32db5ee3d689497046200d55
SHA10aa4eb3ba4bcdbcf89ae5eb137fca4bb9da00675
SHA256f49087bc394ae7983e0c7b8a54a9d70147dd6874fa1b2bcf3e02ad3c02f1261a
SHA51260adfc992bf04db4c3902ba696328c3f560364a2f0fc4b989ff4ae6dfc625729f6e86d3ea63dae1cad11d2c4a8609fc9450829dab31d219ea641b480e78623f8
-
\Users\Admin\AppData\Local\Temp\zpfbg.exeFilesize
12KB
MD58ac9e4ec32db5ee3d689497046200d55
SHA10aa4eb3ba4bcdbcf89ae5eb137fca4bb9da00675
SHA256f49087bc394ae7983e0c7b8a54a9d70147dd6874fa1b2bcf3e02ad3c02f1261a
SHA51260adfc992bf04db4c3902ba696328c3f560364a2f0fc4b989ff4ae6dfc625729f6e86d3ea63dae1cad11d2c4a8609fc9450829dab31d219ea641b480e78623f8
-
memory/968-56-0x0000000000000000-mapping.dmp
-
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmpFilesize
8KB
-
memory/1640-63-0x0000000000401896-mapping.dmp
-
memory/1640-66-0x0000000000640000-0x000000000066E000-memory.dmpFilesize
184KB
-
memory/1640-67-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB