Overview

overview

10

Static

static

1

nhhhhnn.exe

windows7-x64

8

nhhhhnn.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2022 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nhhhhnn.exe

  • Size

    611KB

  • MD5

    75e55b619b34973c98df9425fcda82a7

  • SHA1

    c56718c5d03aa9d7bd3ce9f46afbf7efb4c421db

  • SHA256

    d584f5c481acd2b638b4196021c6326b590c2b64aa0a8b3953e69ad232d651fe

  • SHA512

    fac6cc1acb9d7a0b783cb0be2e6855e0bffdc62cec9e9e0756e5e51ff7b77f6a6bb66dca42c63d6ae055f893c54c514d28f50d23a40a631a185060a36c50acb6

  • SSDEEP

    12288:vc7FkSAEj5yn7i2IY9UG5JGsRw5kfCqqcrhIREsXx8mFmH:v91Ejyi1Y9/5JGsC5k6LIpsB8lH

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nhhhhnn.exe
    "C:\Users\Admin\AppData\Local\Temp\nhhhhnn.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Users\Admin\AppData\Local\Temp\atskme.exe
      "C:\Users\Admin\AppData\Local\Temp\atskme.exe" "C:\Users\Admin\AppData\Local\Temp\gbtnllb.au3"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Users\Admin\AppData\Local\Temp\atskme.exe
        "C:\Users\Admin\AppData\Local\Temp\atskme.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:5020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\atskme.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\atskme.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ehteadmu.ia
    Filesize

    64KB

    MD5

    6db4c0fc61def99eaed28f769f0ce1b3

    SHA1

    92af4f7dc2c0563f27c239f52007483dd122060d

    SHA256

    322ccbfb364a2496de585b6b0ca0d699736e55ad83244a01c0f625ab73bc7f4f

    SHA512

    bc09f1f92219f81572e469f3001b804438933a253f28b8409ff675a06aeb09a8883149c0d9a456910eceb2a8e372e36b58c429d309aa09741f52d5f79687dc9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gbtnllb.au3
    Filesize

    6KB

    MD5

    1d9ac95cf8856d639dad940e24dc9b7b

    SHA1

    66f15e7002310e81570d43eb32b1bb3a0eda93bc

    SHA256

    507fafc4e1709e13a0f9cab8cd490fbc56a28bb65570ffeae6eb6ce8a575852f

    SHA512

    1680da6168380e77a5066a44f47929bbed8ac23314db85499c9136c94c6ef64869a87d7b948d4c0f859bebce39b1eeb1da494d344ad1f462fe4513b20a0ff140

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ssfaozp.ova
    Filesize

    236KB

    MD5

    d58951f7048adc79392195b909b4387c

    SHA1

    85398d546ff5b389849d87b9123fc63531f99cfa

    SHA256

    9d095c1562fd08d3491f7ea0671d17e0e542212125d79235f989df204d556202

    SHA512

    e78784db5c263f8a77ef952b499bb176e38c77ec9afa32079c8dfb8503e1637b2a8deb16633a9ed488258184284dc7c10cb7786f5bf45c5c304da63d645876b3

    Download Submit

  • memory/2796-132-0x0000000000000000-mapping.dmp

    Download

  • memory/5020-137-0x0000000000000000-mapping.dmp

    Download

  • memory/5020-139-0x0000000006470000-0x0000000006A14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5020-140-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/5020-141-0x0000000005EC0000-0x0000000005F5C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5020-142-0x00000000076C0000-0x0000000007726000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5020-143-0x0000000007D10000-0x0000000007DA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5020-144-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

    Filesize

    40KB

    Download