Analysis
-
max time kernel
154s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 12:48
Static task
static1
Behavioral task
behavioral1
Sample
bf32f23a87b64a238e5050844edec9b7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bf32f23a87b64a238e5050844edec9b7.exe
Resource
win10v2004-20220812-en
General
-
Target
bf32f23a87b64a238e5050844edec9b7.exe
-
Size
321KB
-
MD5
bf32f23a87b64a238e5050844edec9b7
-
SHA1
c0a83fef7da08a4dc99d510b9d55aad00e4e549e
-
SHA256
783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06
-
SHA512
a44efd51335fa4ad2e198fdf58ed5be39d62c01c811ceb12f954908fcb87459e5d9e935dac481e0bfefff4158e89e29d6d3b0519137486d0feaed9bf064a2621
-
SSDEEP
6144:QBn1VOu62SslcNRnuYrfQ6m/E07z5r6ZlASnb0e52:gVJYsGTuQQ6mMUZ4lAQbX52
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 3 IoCs
Processes:
oyebl.exeoyebl.exeoyebl.exepid process 2140 oyebl.exe 2532 oyebl.exe 2884 oyebl.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
oyebl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyebl.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyebl.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyebl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
oyebl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ethjtred = "C:\\Users\\Admin\\AppData\\Roaming\\ethjtred\\ethjtred.exe" oyebl.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.ipify.org 13 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
oyebl.exedescription pid process target process PID 2140 set thread context of 2884 2140 oyebl.exe oyebl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
oyebl.exepid process 2884 oyebl.exe 2884 oyebl.exe 2884 oyebl.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
oyebl.exepid process 2140 oyebl.exe 2140 oyebl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
oyebl.exedescription pid process Token: SeDebugPrivilege 2884 oyebl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
oyebl.exepid process 2884 oyebl.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
bf32f23a87b64a238e5050844edec9b7.exeoyebl.exedescription pid process target process PID 3000 wrote to memory of 2140 3000 bf32f23a87b64a238e5050844edec9b7.exe oyebl.exe PID 3000 wrote to memory of 2140 3000 bf32f23a87b64a238e5050844edec9b7.exe oyebl.exe PID 3000 wrote to memory of 2140 3000 bf32f23a87b64a238e5050844edec9b7.exe oyebl.exe PID 2140 wrote to memory of 2532 2140 oyebl.exe oyebl.exe PID 2140 wrote to memory of 2532 2140 oyebl.exe oyebl.exe PID 2140 wrote to memory of 2532 2140 oyebl.exe oyebl.exe PID 2140 wrote to memory of 2884 2140 oyebl.exe oyebl.exe PID 2140 wrote to memory of 2884 2140 oyebl.exe oyebl.exe PID 2140 wrote to memory of 2884 2140 oyebl.exe oyebl.exe PID 2140 wrote to memory of 2884 2140 oyebl.exe oyebl.exe -
outlook_office_path 1 IoCs
Processes:
oyebl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyebl.exe -
outlook_win_path 1 IoCs
Processes:
oyebl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyebl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf32f23a87b64a238e5050844edec9b7.exe"C:\Users\Admin\AppData\Local\Temp\bf32f23a87b64a238e5050844edec9b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\oyebl.exe"C:\Users\Admin\AppData\Local\Temp\oyebl.exe" C:\Users\Admin\AppData\Local\Temp\sgmkaicy.x2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\oyebl.exe"C:\Users\Admin\AppData\Local\Temp\oyebl.exe"3⤵
- Executes dropped EXE
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\oyebl.exe"C:\Users\Admin\AppData\Local\Temp\oyebl.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lixcyeorwp.elFilesize
296KB
MD5b253d8e7b87314619febf5253abb45f8
SHA1adfb8fb23845640ac1cd2fd7520beca95724b9f2
SHA256cb43adfde012bc9b15cd637e76d42fdc2bea8676daf1c05ad308d2a65179beab
SHA5123f19dbf4c461f8cd841726b899d39e01ad3d01873726e139b6c9771879b66907772d59f8bb63ba72b8c2f479cda4fe94cf0782c73f764e63668ba2d9c9d52478
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\oyebl.exeFilesize
100KB
MD55701d2a664caa35762c2b5410fffb414
SHA11ab89bbcaca22fabad6262056ce4f9871cba12ac
SHA2569bf437e7c484009b04ef5bab603a388120854a4a4cfc3db74206b88fc74f7e4e
SHA512aa020f7d48ab2e7b3dd0dcb42998f808b55bdf3d3c565cc8de6815d2469b28b5b0cfcea2b17911d6727a9ce9e08619e41b152ef171083f47f6e33a9273b5d0e4
-
C:\Users\Admin\AppData\Local\Temp\sgmkaicy.xFilesize
5KB
MD59afd4c9ed4a3fbde0922c5cb00b37ead
SHA122e96397cf4177df8cd71b85baf8745d39422816
SHA256262be4bfa9e3bb6de52ff002f7c38177e711d58b9c86d0e1dcd8b52410124d52
SHA512ef4c6c3bf42aa40f24097214d261aefd28eb888d93c4c0ac2b0f8f2121eb0e0e429fea72cec7cd79c453332715dea932c29baed9dcc40fe0a9d65a9fdc45a67d
-
memory/2140-132-0x0000000000000000-mapping.dmp
-
memory/2532-137-0x0000000000000000-mapping.dmp
-
memory/2884-139-0x0000000000000000-mapping.dmp
-
memory/2884-141-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2884-142-0x0000000005810000-0x0000000005DB4000-memory.dmpFilesize
5.6MB
-
memory/2884-143-0x0000000005300000-0x000000000539C000-memory.dmpFilesize
624KB
-
memory/2884-144-0x0000000006200000-0x0000000006266000-memory.dmpFilesize
408KB
-
memory/2884-145-0x0000000006B90000-0x0000000006BE0000-memory.dmpFilesize
320KB
-
memory/2884-146-0x0000000006D30000-0x0000000006DC2000-memory.dmpFilesize
584KB
-
memory/2884-147-0x0000000007060000-0x000000000706A000-memory.dmpFilesize
40KB