Analysis
-
max time kernel
257s -
max time network
291s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe
Resource
win10v2004-20221111-en
General
-
Target
783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe
-
Size
321KB
-
MD5
bf32f23a87b64a238e5050844edec9b7
-
SHA1
c0a83fef7da08a4dc99d510b9d55aad00e4e549e
-
SHA256
783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06
-
SHA512
a44efd51335fa4ad2e198fdf58ed5be39d62c01c811ceb12f954908fcb87459e5d9e935dac481e0bfefff4158e89e29d6d3b0519137486d0feaed9bf064a2621
-
SSDEEP
6144:QBn1VOu62SslcNRnuYrfQ6m/E07z5r6ZlASnb0e52:gVJYsGTuQQ6mMUZ4lAQbX52
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
oyebl.exeoyebl.exepid process 4436 oyebl.exe 1152 oyebl.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
oyebl.exedescription pid process target process PID 4436 set thread context of 1152 4436 oyebl.exe oyebl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
oyebl.exepid process 4436 oyebl.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exeoyebl.exedescription pid process target process PID 3068 wrote to memory of 4436 3068 783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe oyebl.exe PID 3068 wrote to memory of 4436 3068 783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe oyebl.exe PID 3068 wrote to memory of 4436 3068 783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe oyebl.exe PID 4436 wrote to memory of 1152 4436 oyebl.exe oyebl.exe PID 4436 wrote to memory of 1152 4436 oyebl.exe oyebl.exe PID 4436 wrote to memory of 1152 4436 oyebl.exe oyebl.exe PID 4436 wrote to memory of 1152 4436 oyebl.exe oyebl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe"C:\Users\Admin\AppData\Local\Temp\783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\oyebl.exe"C:\Users\Admin\AppData\Local\Temp\oyebl.exe" C:\Users\Admin\AppData\Local\Temp\sgmkaicy.x2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\oyebl.exe"C:\Users\Admin\AppData\Local\Temp\oyebl.exe"3⤵
- Executes dropped EXE
PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lixcyeorwp.elFilesize
296KB
MD5b253d8e7b87314619febf5253abb45f8
SHA1adfb8fb23845640ac1cd2fd7520beca95724b9f2
SHA256cb43adfde012bc9b15cd637e76d42fdc2bea8676daf1c05ad308d2a65179beab
SHA5123f19dbf4c461f8cd841726b899d39e01ad3d01873726e139b6c9771879b66907772d59f8bb63ba72b8c2f479cda4fe94cf0782c73f764e63668ba2d9c9d52478
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\sgmkaicy.xFilesize
5KB
MD59afd4c9ed4a3fbde0922c5cb00b37ead
SHA122e96397cf4177df8cd71b85baf8745d39422816
SHA256262be4bfa9e3bb6de52ff002f7c38177e711d58b9c86d0e1dcd8b52410124d52
SHA512ef4c6c3bf42aa40f24097214d261aefd28eb888d93c4c0ac2b0f8f2121eb0e0e429fea72cec7cd79c453332715dea932c29baed9dcc40fe0a9d65a9fdc45a67d
-
memory/1152-137-0x0000000000000000-mapping.dmp
-
memory/1152-139-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1152-140-0x0000000005000000-0x00000000055A4000-memory.dmpFilesize
5.6MB
-
memory/4436-132-0x0000000000000000-mapping.dmp